Atlassian – CVE-2022-0540, CVE-2016-10750, CVE-2022-26133

22nd April 2022

Atlassian has released security fixes for multiple vulnerabilities

Atlassian Jira software, Confluence Data Center, and Bitbucket Data Center

1, Atlassian Jira Software

Atlassian has released updates for Jira and Jira Service Management that addresses a critical authentication bypass vulnerability in its web authentication framework, Jira Seraph. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted HTTP request to bypass authentication and authorisation requirements in WebWork actions using an affected configuration and take control of the system.

The following Atlassian Software is affected

  • Jira
    • Jira Core Server
    • Jira Software Server
    • Jira Software Data Center
  • Jira Service Management
    • Jira Service Management Server
    • Jira Service Management Data Center
  • Insight – Asset Management
  • Mobile Plugin for Jira

Atlassian cloud instances are not vulnerable and no customer action is required. 

 

Installing a fixed version listed below is the surest way to remediate CVE-2022-0540. Once a fixed version has been installed, all apps in your Jira or JSM instance are protected against CVE-2022-0540 and no further action is required.

Fixed Jira Versions for…

Jira Core Server
Jira Software Server
Jira Software Data Center

  • 8.13.x >= 8.13.18
  • 8.20.x >= 8.20.6
  • All versions >= 8.22.0

Fixed Jira Service Management Versions for…

Jira Service Management Server
Jira Service Management Data Center

  • 4.13.x >= 4.13.18
  • 4.20.x >= 4.20.6
  • All versions >= 4.22.0

Full information about remediation work can be found here

Jira Security Advisory 2022-04-20 | Atlassian Support | Atlassian Documentation

Further information can also be found here

FAQ for CVE-2022-0540 | Atlassian Support | Atlassian Documentation

 

2, Confluence Data Center, and Bitbucket Data Center

Multiple Atlassian products use the third-party software Hazelcast, which is vulnerable to Java deserialization attacks. Hazelcast is used by these products when they’re configured to run as a cluster. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted request, resulting in arbitrary code execution.

The following Atlassian Software is affected

  • Confluence Data Center
  • Bitbucket Data Center

Bitbucket Server is not affected. Bitbucket Cloud is not affected.

Affected Bitbucket Data Center Versions

  • All versions before 7
  • All version within 7 before the fixed versions.

Fixed Bitbucket Data Center Versions

  • 7.6.14
  • 7.17.6
  • 7.18.4
  • 7.19.4
  • 7.20.1
  • 7.21.0

Affected Confluence Data Center Versions

All versions 5.6 and above. Check for the following string in the confluence.cfg.xml file in the Confluence home directory:

<property name="confluence.cluster">true</property>

if this line is present then the software is vulnerable.

Workaround for Confluence Data Center

There is no fix at present, however the risk is greatly reduced by using a firewall or similar to exclude any device other than the cluster nodes to communicate on 5701/TCP and 5801/TCP. Details in the link below.

Set up a Confluence Data Center cluster | Confluence Data Center and Server 7.17 | Atlassian Documentation

Full information about remediation work can be found here

Multiple Products Security Advisory – Hazelcast Vulnerable To Remote Code Execution – CVE-2016-10750, CVE-2022-26133 | Atlassian Support | Atlassian Documentation

 

If you have any concerns regarding this matter, please contact Daisy via our Service Desk team on 0330 024 3333 or our Customer Portal.

Talk to one of our specialists.
Call us on
0344 863 3000