=================================================================== CERT-Renater Note d'Information No. 2022/VULN263 _____________________________________________________________________ DATE : 03/08/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Bamboo Server and Data Center, Bitbucket Server and Data Center, Confluence Server and Data Center, Crowd Server and Data Center, Crucible, Fisheye, Jira Server and Data Center, Jira Service Management Server and Data Center ====================================================================https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html _____________________________________________________________________ Summary of Vulnerabilities Servlet Filter Overview A Servlet Filter is Java code that intercepts and processes HTTP requests before a client request is sent to a back end resource. They’re also used to intercept and process HTTP responses from a back end resource before they’re sent to a client. Some Servlet Filters provide security mechanisms such as logging, auditing, authentication, or authorization. Arbitrary Servlet Filter Bypass (CVE-2022-26136) A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. Atlassian has not exhaustively enumerated all potential consequences of this vulnerability, and has only confirmed the attacks listed below. Please note that Atlassian has released updates that fix the root cause for all products affected by this vulnerability, including any first or third party apps installed on each product. Authentication bypass. Sending a specially crafted HTTP request can bypass custom Servlet Filters used by third party apps to enforce authentication. A remote, unauthenticated attacker can exploit this to bypass authentication used by third party apps. Please note Atlassian has confirmed this attack is possible, but has not determined a list of all affected apps. Cross-site scripting (XSS). Sending a specially crafted HTTP request can bypass the Servlet Filter used to validate legitimate Atlassian Gadgets, which can result in cross-site scripting (XSS). An attacker that can trick a user into requesting a malicious URL can execute arbitrary Javascript in the user’s browser. Additional Servlet Filter Invocation (CVE-2022-26137) A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Severity Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Affected Versions Product Affected Versions Bamboo Server and Data Center Versions < 7.2.9 8.0.x < 8.0.9 8.1.x < 8.1.8 8.2.x < 8.2.4 (warning) 7.2.9 is not affected, but it contains an unrelated non-security bug. Refer to the fixed versions section below for more information. Bitbucket Server and Data Center Versions < 7.6.16 All versions 7.7.x through 7.16.x 7.17.x < 7.17.8 All versions 7.18.x 7.19.x < 7.19.5 7.20.x < 7.20.2 7.21.x < 7.21.2 8.0.0 8.1.0 Confluence Server and Data Center Versions < 7.4.17 All versions 7.5.x through 7.12.x 7.13.x < 7.13.7 7.14.x < 7.14.3 7.15.x < 7.15.2 7.16.x < 7.16.4 7.17.x < 7.17.4 7.18.0 Crowd Server and Data Center Versions < 4.3.8 4.4.x < 4.4.2 5.0.0 Crucible Versions < 4.8.10 Fisheye Versions < 4.8.10 Jira Server and Data Center Versions < 8.13.22 All versions 8.14.x through 8.19.x 8.20.x < 8.20.10 All versions 8.21.x 8.22.x < 8.22.4 (warning) 8.22.4 is not affected, but it contains an unrelated non-security bug. Refer to the fixed versions section below for more information. Jira Service Management Server and Data Center Versions < 4.13.22 All versions 4.14.x through 4.19.x 4.20.x < 4.20.10 All versions 4.21.x 4.22.x < 4.22.4 Fixed Versions Product Fixed Versions Bamboo Server and Data Center 7.2.x >= 7.2.9 (warning) 7.2.9 contains a high impact non-security bug. Atlassian recommends updating to the latest version (currently 7.2.10) 8.0.x >= 8.0.9 8.1.x >= 8.1.8 8.2.x >= 8.2.4 Versions >= 9.0.0 Bitbucket Server and Data Center 7.6.x >= 7.6.16 (LTS) 7.17.x >= 7.17.8 (LTS) 7.19.x >= 7.19.5 7.20.x >= 7.20.2 7.21.x >= 7.21.2 (LTS) 8.0.x >= 8.0.1 8.1.x >= 8.1.1 Versions >= 8.2.0 Confluence Server and Data Center 7.4.x >= 7.4.17 (LTS) 7.13.x >= 7.13.7 (LTS) 7.14.x >= 7.14.3 7.15.x >= 7.15.2 7.16.x >= 7.16.4 7.17.x >= 7.17.4 7.18.x >= 7.18.1 Crowd Server and Data Center 4.3.x >= 4.3.8 4.4.x >= 4.4.2 Versions >= 5.0.1 Crucible Versions >= 4.8.10 Fisheye Versions >= 4.8.10 Jira Server and Data Center 8.13.x >= 8.13.22 (LTS) 8.20.x >= 8.20.10 (LTS) 8.22.x >= 8.22.4 (warning) 8.22.4 contains a high impact non-security bug. Atlassian recommends updating to the latest version (currently 8.22.6). Versions >= 9.0.0 Jira Service Management Server and Data Center 4.13.x >= 4.13.22 (LTS) 4.20.x >= 4.20.10 (LTS) 4.22.x >= 4.22.4 (warning) 4.22.5 contains a security vulnerability. Atlassian recommends updating to the latest version (currently 4.22.6). Versions >= 5.0.0 Release Notes Atlassian recommends that you upgrade to the latest version. For a full description of the latest versions, see the release notes for your product: Bamboo Server and Data Center release notes Bitbucket Server and Data Center release notes Confluence Server and Data Center release notes Crowd Server and Data Center release notes Crucible release notes Fisheye release notes Jira Service Management Server and Data Center release notes Jira Software Server and Data Center release notes Downloads Download Bamboo Server and Data Center Download Bitbucket Server and Data Center Download Confluence Server and Data Center Download Crowd Download Crucible Download Fisheye Download Jira Service Management Server and Data Center Download Jira Software Server and Data Center Workarounds There are no known workarounds. To remediate this vulnerability, update each affected product installation to a fixed version listed above. Acknowledgements Atlassian would like to thank Khoadha of Viettel Cyber Security for finding and reporting this vulnerability. Frequently Asked Questions We’ll update the FAQ for CVE-2022-26136 / CVE-2022-26137 with answers for commonly asked questions. Related Tickets BAM-21795 - Bamboo: Multiple Servlet Filter Vulnerabilities PUBLISHED BSERV-13370 - Bitbucket: Multiple Servlet Filter Vulnerabilities PUBLISHED CONFSERVER-79476 - Confluence: Multiple Servlet Filter Vulnerabilities PUBLISHED CWD-5815 - Crowd: Multiple Servlet Filter Vulnerabilities PUBLISHED FE-7410 - Fisheye: Multiple Servlet Filter Vulnerabilities PUBLISHED CRUC-8541 - Crucible: Multiple Servlet Filter Vulnerabilities PUBLISHED JRASERVER-73897 - Jira: Multiple Servlet Filter Vulnerabilities PUBLISHED JSDSERVER-11863 - JSM: Multiple Servlet Filter Vulnerabilities PUBLISHED Support If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails. If you have questions or concerns regarding this advisory, raise a support request at https://support.atlassian.com/. References Security Bug Fix Policy As per our new policy high security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy . We will release new maintenance releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released. Severity Levels for Security Issues Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. Atlassian Support End of Life Policy Our end of life policy varies for different products. Please refer to our EOL Policy for details. Last modified on Jul 25, 2022 ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + ======================================================= --------------WqdZF9dJvzIRSVuLokqUSBQZ--