Multiple Products Security Advisory - CVE-2022-26136, CVE-2022-26137
Summary | Servlet Filter Dispatcher Vulnerabilities in Multiple Products |
---|---|
Advisory Release Date | 10:00 AM PDT (Pacific Time, -7 hours) |
Affected Products |
Atlassian Cloud sites are not affected. Fixes have been deployed to Atlassian Cloud sites. If your Atlassian site is accessed via a bitbucket.org or an atlassian.net domain, it is an Atlassian Cloud site. |
CVE ID(s) |
Summary of Vulnerabilities
Servlet Filter Overview
A Servlet Filter is Java code that intercepts and processes HTTP requests before a client request is sent to a back end resource. They’re also used to intercept and process HTTP responses from a back end resource before they’re sent to a client. Some Servlet Filters provide security mechanisms such as logging, auditing, authentication, or authorization.
Arbitrary Servlet Filter Bypass (CVE-2022-26136)
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. Atlassian has not exhaustively enumerated all potential consequences of this vulnerability, and has only confirmed the attacks listed below. Please note that Atlassian has released updates that fix the root cause for all products affected by this vulnerability, including any first or third party apps installed on each product.
Authentication bypass. Sending a specially crafted HTTP request can bypass custom Servlet Filters used by third party apps to enforce authentication. A remote, unauthenticated attacker can exploit this to bypass authentication used by third party apps. Please note Atlassian has confirmed this attack is possible, but has not determined a list of all affected apps.
Cross-site scripting (XSS). Sending a specially crafted HTTP request can bypass the Servlet Filter used to validate legitimate Atlassian Gadgets, which can result in cross-site scripting (XSS). An attacker that can trick a user into requesting a malicious URL can execute arbitrary Javascript in the user’s browser.
Additional Servlet Filter Invocation (CVE-2022-26137)
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability:
Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions.
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
Affected Versions
Product | Affected Versions |
---|---|
Bamboo Server and Data Center |
7.2.9 is not affected, but it contains an unrelated non-security bug. Refer to the fixed versions section below for more information. |
Bitbucket Server and Data Center |
|
Confluence Server and Data Center |
|
Crowd Server and Data Center |
|
Crucible |
|
Fisheye |
|
Jira Server and Data Center |
|
Jira Service Management Server and Data Center |
|
Fixed Versions
Product | Fixed Versions |
---|---|
Bamboo Server and Data Center |
|
Bitbucket Server and Data Center | |
Confluence Server and Data Center | |
Crowd Server and Data Center |
|
Crucible |
|
Fisheye |
|
Jira Server and Data Center |
|
Jira Service Management Server and Data Center |
|
Release Notes
Atlassian recommends that you upgrade to the latest version. For a full description of the latest versions, see the release notes for your product:
Downloads
Workarounds
There are no known workarounds. To remediate this vulnerability, update each affected product installation to a fixed version listed above.
Acknowledgements
Atlassian would like to thank Khoadha of Viettel Cyber Security for finding and reporting this vulnerability.
Frequently Asked Questions
We’ll update the FAQ for CVE-2022-26136 / CVE-2022-26137 with answers for commonly asked questions.
Related Tickets
- BAM-21795 - Getting issue details... STATUS
- BSERV-13370 - Getting issue details... STATUS
- CONFSERVER-79476 - Getting issue details... STATUS
- CWD-5815 - Getting issue details... STATUS
- FE-7410 - Getting issue details... STATUS
- CRUC-8541 - Getting issue details... STATUS
- JRASERVER-73897 - Getting issue details... STATUS
- JSDSERVER-11863 - Getting issue details... STATUS
Support
If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory, raise a support request at https://support.atlassian.com/.
References
As per our new policy high security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy . We will release new maintenance releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released. | |
Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. | |
Our end of life policy varies for different products. Please refer to our EOL Policy for details. |