View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 21, 2022updated 05 Aug 2022 6:34am

Atlassian issues security warning after finding more critical vulnerabilities

The software vendor has more security issues to solve, with a pair of vulnerabilities hitting its biggest products.

By Ryan Morrison

Two critical flaws affecting major Atlassian products could put customer security at risk, the software company has warned. This is the second major vulnerability Atlassian has discovered in six weeks and the vendor says it “cannot guarantee it won’t have to issue advisories in the near future” as it attempts to get to the root of the problems.

This is the second security vulnerability confirmed by Atlassian in six weeks and the firm cannot guarantee there won’t be more. (Photo courtesy of Atlassian)

Published in the firm’s July security advisory, the pair of “Servlet Filter dispatcher vulnerabilities” allow attackers to use crafted HTTP requests to bypass, manipulate or invoke Servlet Filters, which can be used to authenticate users.

Atlassian produces productivity tools for businesses, and says it has 180,000 customers around the world, with more than 10 million monthly active users. It also claims that 83% of Fortune 500 companies use at least one of its products.

Atlassian vulnerabilities: how do they affect systems?

Software affected by the newly discovered vulnerabilities includes Bamboo, Bitbucket, Confluence, Fisheye, Crucible and Jira, and Atlassian says more of its products could also be impacted as it has yet to map the full consequences of the problems.

It has issued fixes to cloud services where its software is deployed, and updates are available for older versions of its products impacted by the flaws.

“Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability,” it said in a statement.

The first of the flaws, CVE-2022-26136, allows an attacker to send a crafted HTTP address that lets it bypass custom Servlet Filters. Atlassian explained in its note: “The impact depends on which filters are used by each app, and how the filters are used.”

The same flaw can also be used in a cross-site scripting attack. This is where another HTTP request can be used to trick a user who thinks they are requesting a legitimate Atlassian service into requesting a malicious URL to execute arbitrary JavaScript in their browser.

Content from our partners
How to turn the evidence hackers leave behind against them
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer

The other vulnerability, known as CVE-2022-26137, is also found in multiple Atlassian products and allows remote, unauthenticated attacks to cause additional Servlet Filters to be invoked any time the application processes makes a request or response. “An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions,” the company said.

Atlassian says it has confirmed and fixed the known security issues associated with these vulnerabilities, but couldn’t determine a full list of affected apps.

Atlassian vulnerabilities: more advisories could be on the way.

Atlassian considers the vulnerabilities severe because they affect the code included with each product, so systems are still impacted even if they don’t have any third-party apps installed. The company says it can’t confirm if a system has been compromised so customers will need to look to their own security teams to conduct further investigations.

For businesses using Atlassian products, the vendor “recommends checking the integrity of the application filesystem, for example, comparison of artefacts in their current state with recent back-ups to see if there are any unexpected differences.

“All security compromises are different, and there is a risk that an attacker could hide their footprint and change important files – such as syslogs, audit logs, access logs etc. – depending on the component that has been compromised,” it says.

Atlassian adds that it continues to investigate the problems but “cannot guarantee that there will be no further advisories in the near future”.

This latest security update comes just weeks after another critical flaw within Confluence, Atlassian’s secure collaboration software, was revealed. Powerful botnet Dark IoT was among those taking advantage of the problem. A similar flaw was also discovered – and patched – last year.

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.

Read more: How AI will extend the scale – and sophistication – of cybercrime

Topics in this article: , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU