Atlassian Releases Patches for Critical Jira Authentication Bypass Vulnerability

Security

Atlassian has released new security patches for its Jira and Jira Service Management solutions. The latest set of updates aims to address a critical vulnerability that could let attackers to bypass authentication controls.

According to Atlassian’s security advisory, the bug was first discovered by Khoadha of Viettel Cyber Security. Tracked as CVE-2022-0540 and issued a CVSS score of 9.9, the security flaw resides in Jira’s authentication framework called Jira Seraph.

For those unfamiliar, Seraph is a Servlet security framework that is used in J2EE web applications. It offers various security tools that help IT admins protect their Jira installations from cyber attacks. In Jira and Confluence, Seraph uses some pluggable core elements to handle all authentication requests.

“A remote, unauthenticated attacker could exploit this by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration,” the company explained.

Atlassian confirmed that the CVE-2022-0540 vulnerability affects several products such as Jira Core Server, Software Server, Software Data Center, the Service Management Server, and the Management Data Center. However, the security flaw doesn’t impact the cloud-based Jira and Jira Service Management products.

Here’s the full list of versions affected by the CVE-2022-0540 vulnerability:

  • Jira Core Server, Software Server, and Software Data Center prior to versions 8.13.18, the 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x, 8.20.x before 8.20.6, and 8.21.x.
  • Jira Service Management Server and Management Data Center prior to versions 4.13.18, 4.14.x, 4.15.x, 4.16.x, 4.17.x, 4.18.x, 4.19.x, 4.20.x before 4.20.6, and 4.21.x.

The Jira authentication bypass vulnerability affects over 200 Atlassian marketplace apps

In addition to these Jira products, Atlassian noted that the security flaw affects its Mobile Plugin for Jira and Insight – Asset Management applications. Moreover, the vulnerability impacts more than 200 apps available on the Atlassian marketplace.

Atlassian advises customers to upgrade to the latest version of Jira or Jira Service Management to mitigate potential security attacks. However, users who can’t install the security patches can simply update the vulnerable apps to a fixed version or disable them altogether.