Atlassian warns users of 'critical flaws' in its products

Australian software company, Atlassian, which is already caught in the middle of an ongoing cloud services outage, has warned users of some of the critical flaws that have been present in products. According to the company, some of its key products such as Bamboo, Bitbucket, Confluence, Fisheye, Crucible and Jira, are ‘critically flawed’, threatening their users’ security.

One of the flaws ‘CVE-2022-26136’, the company spoke about, is "Servlet Filter dispatcher vulnerabilities". That means an attacker could send a specially crafted HTTP request to bypass custom Servlet Filters used by third-party apps to enforce authentication. CVE is short for common vulnerabilities and exposures, is a list of publicly disclosed computer security flaws.

The worrying part is, the flaw allows a remote, unauthenticated attacker to bypass authentication used by third-party apps. Unfortunately, Atlassian doesn't have a definitive list of apps that could be impacted by this flaw.

"We released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability," the company said in a statement.

The same CVE (CVE-2022-26137) can also be exploited in a cross-site scripting attack, said the company, highlighting the second flaw. It is a cross-origin resource sharing (CORS) bypass. According to Atlassian researchers, sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass.

"An attacker that can trick a user into requesting a malicious URL can execute arbitrary JavaScript in the user's browser," Atlassian researchers explained.

News of the vulnerabilities comes only weeks after Atlassian's admission of another critical flaw in Confluence that was under active attack. The company stated that Confluence users have another flaw to worry about – the CVE-2022-26138 that reveals that one of its Confluence apps has a hard-coded password in place to help migrations to the cloud.

For example, a remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. However, if that “password falls into the wrong hands, a Confluence implementation is an open book”, researchers explained.

Most of these flaws are present in age-old versions of Atlassian products. Fixes have been issued and require upgrades. The company also said, cloud versions of the products hosted by Atlassian have already been fixed. However, there’s no guarantee that the new versions will not attract the attention of malicious actors.

Security experts believe that CVE-2022-26136 probably represents a substantial opportunity to probe into long-forgotten integrations in the Atlassian products if the company has to retain its huge enterprise customer base globally.