Atlassian Security Updates (CVE)

August 2022

Critical severity command injection vulnerability and was released at, 24 Aug 2022

Information

This advisory discloses a critical severity security vulnerability which was introduced in version 7.0.0 of Bitbucket Server and Data Center. All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.

There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.

Affected products

All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.
 

July 2022

This vulnerability should be remediated on affected systems immediately and was released at, 20 Jul 2022 and has already been updated

Information

A Servlet Filter is Java code that intercepts and processes HTTP requests before a client request is sent to a back end resource. They’re also used to intercept and process HTTP responses from a back end resource before they’re sent to a client. Some Servlet Filters provide security mechanisms such as logging, auditing, authentication, or authorization.

Affected products

  • Bamboo Server and Data Center
  • Bitbucket Server and Data Center
  • Confluence Server and Data Center
  • Crowd Server and Data Center
  • Fisheye and Crucible
  • Jira Server and Data Center
  • Jira Service Management Server and Data Center
 

This vulnerability should be remediated on affected systems immediately and was released at, 20 Jul 2022 and has already been updated

Information

When the Questions for Confluence app is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username disabledsystemuser. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to.

Affected products

Questions For Confluence app for:

  • Confluence Server
  • Confluence Data Center
 

June 2022

This advisory discloses a high severity security vulnerability was released at, June 29, 2022 and has already been updated

Information

A full-read server-side request forgery exists in Mobile Plugin for Jira, which is bundled with Jira and Jira Service Management. It is exploitable by any authenticated user (including a user who joined via the sign-up feature). It specifically affects the batch HTTP endpoint used in Mobile Plugin for Jira. It is possible to control the HTTP method and location of the intended URL through the method parameter in the body of the vulnerable endpoint.

Affected products

  • Jira Core Server
  • Jira Software Server
  • Jira Software Data Center
  • Jira Service Management Server
  • Jira Service Management Data Center
Jira Versions Versions after 8.0 and before 8.13.22 and Jira Service Management Versions Versions after 4.0 and before 4.13.22.
 

A new ‘Critical’ vulnerability was released at, June 2, 2022 and has already been updated.

Information

Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. 

Affected products

  • All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability.

A new ‘High’ vulnerability was released at, November 1, 2021. 

Information

Multiple Atlassian products use the third-party Log4j library, which is vulnerable to CVE-2021-44228:

Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

Affected products

  • Bitbucket

November 2021

A new ‘High’ vulnerability was released at, November 1, 2021. 

Severity

Atlassian rates the severity level of this vulnerability as high, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Affected products

  • Bamboo Server and Data Center

  • Bitbucket Server and Data Center

  • Confluence Server and Data Center

  • Crucible

  • Fisheye

  • Jira Service Management Server and Data Center (and Insight Asset Management app)

  • Jira Software Server and Data Center (including Jira Core)

  • Jira and Confluence Server mobile apps

Description

A vulnerability has been identified affecting multiple Atlassian products where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter.

Acknowledgements

The issue was identified and reported by Nicholas Boucher and Ross Anderson of the University of Cambridge. 

 

October 2021

A new ‘Critical’ vulnerability was released at, 20th Oct 2021.

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate, or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Affected products

  • Insight – Asset Management app

  • Jira Service Management Data Center and Server

Description

Insight – Asset Management has a feature to import data from several databases (DBs). One of these DBs, the H2 DB, has a native function in its library which an attacker can use to run code on the server (remote code execution a.k.a. RCE). The H2 DB is bundled with Jira to help speed up the setup of Jira test environments.

The combination of the DB import feature introduced by Insight – Asset Management with the existing Jira H2 DB library exposed this vulnerability. The vulnerability exists whether or not the import configuration was saved and even if H2 was never used as a targeted DB. Accessing this vulnerability requires the following:

The user must be an authenticated Jira user AND
Either of the following privileges within Insight – Asset Management:

  • user or group permission to “Insight administrator”
  • user or group permission to “Object Schema Manager”

August 2021

A new ‘Critical’ vulnerability was released at, 25th August 2021.

Severity

This vulnerability is being actively exploited in the wild.
Affected servers should be patched immediately.

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Affected products

  • Confluence Server

  • Confluence Data Center

Description

An OGNL injection vulnerability exists that would allow an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. 

All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability.

Acknowledgements

The issue was discovered by Benny Jacob (SnowyOwl) via the Atlassian public bug bounty program.