Atlassian Patches Critical Jira Authentication Bypass Bug2 Atlassian Products Affected: Jira and Jira Service Management
Australian software company Atlassian has issued fixes for a critically rated vulnerability in its Jira software that could allow an unauthenticated attacker to remotely bypass authentication protections in place. The vulnerability, tracked as CVE-2022-0540 with a CVSS rating of 9.9 out of 10, affects both Jira and Jira Service Management products.
A researcher identified only as Khoadha, at Vietnam’s Viettel Cyber Security, whom Atlassian has credited for finding and reporting the vulnerability, identified the bug in Jira's authentication framework called Jira Seraph, according to Atlassian's security advisory.
Seraph is a pluggable J2EE web application security framework. It is based on several core elements, such as security service, interceptor, authenticator, controller and role mapper, all of which are pluggable in the framework.
A remote, unauthenticated attacker could exploit the bug by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration, Atlassian says.
Although the vulnerability is in the core of Jira, it affects first- and third-party apps that specify
roles-required at the
webwork1 action namespace level and do not specify it at an action level. "For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks," Atlassian says in its security advisory.
Jacob Baines, a lead security researcher at Rapid7, in a knowledge base blog that the company calls AttackerKB, says that the vulnerable code exists in Jira core, but only affects downstream "apps" that integrate with Jira. An app is only vulnerable if it does not take steps to independently "enforce additional security checks," Baines says.
Affected Products and Versions
Two of Atlassian's products - Jira and Jira Service Management - have been affected by this vulnerability. The product names include:
- Jira Core Server
- Jira Software Server
- Jira Software Data Center
- Jira Service Management
- Jira Service Management Server
- Jira Service Management Data Center
The versions that the CVE-2022-0540 vulnerability affects are:
- Jira Core Server, Software Server and Software Data Center prior to versions 8.13.18; the 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x, 8.20.x before 8.20.6; and 8.21.x;
- Jira Service Management Server and Management Data Center prior to 4.13.18; 4.14.x, 4.15.x, 4.16.x, 4.17.x, 4.18.x, 4.19.x, 4.20.x before 4.20.6; and 4.21.x.
Cloud products of Jira and Jira Service Management remain unaffected by the vulnerability.
Apps Also Affected
Atlassian has determined that its Marketplace apps also use a configuration vulnerable to CVE-2022-0540. Atlassian says that apps are only affected by CVE-2022-0540 when both of the following conditions are met:
- It is installed in one of the affected Jira or Jira Service Management versions listed above.
- It is using the specific vulnerable CVE-2022-0540 configuration mentioned earlier.
The vulnerability affects two bundled apps and one stand-alone Atlassian app:
- Insight - Asset Management: Bundled in Jira Service Management Server and Data Center 4.15.0 and later;
- Mobile Plugin for Jira: Bundled in Jira Server, Jira Software Server and Data Center 8.0.0 and later, Jira Service Management Server and Data Center 4.0.0 and later;
- Insight - Asset Management version (Server, Data Center): Versions prior to 8.10.0; available from the Atlassian Marketplace.
Fixed Versions and Workarounds
Atlassian has remediated and fixed the vulnerable Jira versions. The latest versions that include the security updates are 8.13.x >= 8.13.18, 8.20.x >= 8.20.6, and all versions from 8.22.0 and later.
Similarly, the fixed versions for Jira Service Management are 4.13.x >= 4.13.18, 4.20.x >= 4.20.6, and 4.22.0 and later.
If users are unable to update the app, Atlassian recommends that they disable the vulnerable apps until they can install a fixed version.
Those using Jira Service Management 4.19.x and 4.20.x < 4.20.3 are recommended to not disable the Insight - Asset Management app. "In these versions of Jira Service Management, disabling Insight - Asset Management causes all of Jira Service Management to be disabled," Atlassian says.
Widespread Exploitation Not Expected
Baines says that although Jira lists two of its own "bundled" apps as affected, its FAQ says that Mobile Plugin for Jira is not exploitable due to the aforementioned additional security checks and because the Insight - Asset Management requires both authentication and special permissions to exploit it.
"It appears that Atlassian based their CVSS3 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L) on the Insight - Asset Management attack case. Although, the score seems artificially inflated by use of S:C," Baines says.
Baines adds that while Jira lists approximately 200 affected apps in its disclosure, "we do not expect this issue to see widespread exploitation." This is because the actual impact of the bypass is dependent on the functionality exposed by the app's vulnerable endpoint, he says.
"There may be a high-impact vulnerable app, but the install base of specific apps is going to be significantly smaller than the Jira install base. Coupled with the fact that this issue has been fixed for more than two months, and cloud services are not affected, exploitation will be spotty at best, if at all," Baines says.
Therefore, although the vulnerability is critically rated, Baines rates the chances of exploitability as "low" and attacker value as "very low."
Tim Erlin, vice president of strategy at Tripwire, tells Information Security Media Group that "this vulnerability is critical for some organizations, but it's not critical for the internet as a whole in the way that Log4Shell was."
For customers who have an affected configuration, this is a critical vulnerability to address, but there are many caveats around what constitutes an affected configuration and thus, every organization needs to assess its own particular use case and setup, Erlin says.
Critical or Not?
Atlassian, which rates the severity level of this vulnerability as critical, also says that the severity may vary if an affected app uses additional permissions checks. "For installations that do not use any apps that have an affected configuration as described in the Summary of Vulnerability, Atlassian rates the severity level of this vulnerability as medium," it says in its security blog.
"This is our assessment, and you should evaluate its applicability to your own IT environment," it says.
Avishai Avivi, a CISO at SafeBreach, tells ISMG that while it may turn out that most applications in the Jira marketplace are not vulnerable when the two conditions occur, a malicious actor can still bypass the authentication and authorization mechanisms and execute arbitrary code for some. "Such capability justifies the critical severity," Avivi says.
"In security, we have to use the high watermark method, meaning using the highest possible severity level as the overall severity rating to alert users of the worst-case scenario."
He adds that CVE-2022-0540 is an interesting vulnerability that can potentially be exploited to introduce vulnerabilities into completely unrelated applications.
In September 2021, the U.S. Cyber Command and the U.S. Cybersecurity and Infrastructure Security Agency issued alerts warning of mass exploitation of Atlassian's Confluence vulnerability, CVE-2021-26084 (see: Atlassian Vulnerability Being Exploited in the Wild).