2022 In A Nutshell: Atlassian Outages And Vulnerabilities
The Year 2022 definitely wasn’t the best year for #Jira and #Bitbucket users in history. Atlassian outages, warnings about data breaches, and being on the first lines of media are all about Atlassian this year. So, let’s analyze #Atlassian Status and different media alerts to see what really happened to this giant cloud service provider.?
December 2022
Atlassian Status for Jira:?2 incidents
Atlassian status for Bitbucket:?3 incidents
Security flaw noticed in Atlassian can lead to taking over hundreds of Jira accounts
The researchers from CloudSEK noticed a vulnerable flaw in such Atlassian products as Jira, Confluence, and Bitbucket. They stated that threat actors can use this flaw to take over a company’s Jira account. The problem was hidden in cookies which were invalidated, even if the user changed the password, with 2FA enabled. According to those #security researchers the reason hid in the cookie validity, which is 30 days, as they only expire at the moment when the user logs out, or after 30 days.?
At the same time,?Atlassian security team?had its own investigation into unauthorized access of a customer’s Cloud account, which took place in December and triggered the buzz in the network. As it turned out during the investigation, it was an isolated case caused by malware on the customer’s computer: “This incident was in no way caused by a #vulnerability in Atlassian products or a compromise of Atlassian systems.”?
For those Cloud customers who have some concerns about the security of their tokens, the Atlassian team recommended “reset their passwords, which will automatically log users out of all active and current sessions.”
November 2022
Atlassian Status for Jira:?4 incidents
Atlassian status for Bitbucket:?4 incidents
Atlassian remediates its critical vulnerabilities (9 out of 10!)
After noticing critical security vulnerabilities that the Atlassian characterized as 9 out of 10 in severity rating, the cloud service provider released some updates to address those problems in its centralized identity management platform – Crowd Server and Data Center, as well as git-based code and CI/CD tool – Bitbucket Server and Data Center.?
According to Atlassian, is the command injection flaw, tracked as CVE-2022-43781, which affects Bitbucket Server and Data Center, and could permit the attacker with permission to control their username to gain code execution on the target system. Another flaw, CVE-2022-43782, which affected Crowd Server and Data Center, was a misconfiguration that cloud give an attacker a possibility to bypass password checks during the authentication as the Crown app and to call privileged API endpoints.?
Atlassian security advisory presented a step-by-step guidance for administrators to check if their products were compromised and what actions to take in that case.?
October
Atlassian Status for Jira:?1 incident
Atlassian status for Bitbucket:?1 incident
Two vulnerabilities noticed in Atlassian Jira could let an attacker steal account credentials
In October Bishop Fox, a cybersecurity services firm issued an advisory about two vulnerabilities they noticed in Atlassian Jira Align which allowed a user, who had an access to the service to easily gain access as an application administrator and, consequently, make an attack on the Atlassian service.?
Those two vulnerabilities were Server-Side Forgery (SSRF), tracked as CVE-2022-36802, and Insufficient Authorization Controls, tracked as CVE-2022-36802. The first one allowed the threat actor to get the AWS credentials to the Atlassian Jira service account and then access the Atlassian Cloud infrastructure as a user of Jira Align, The second one permitted those users who had People role permission to upgrade their and any user’s role up to Super Admin. With this role, a user gained control over any settings in the Jira Align tenant, allowing him to modify Jira connections or security settings, reset user accounts.?
?Jira?|?Dark Reading
September
领英推荐
Atlassian Status for Jira:?8 incidents
Atlassian status for Bitbucket:?4 incidents
Bitbucket suffers two outages in a month
In September Atlassian experienced two partial outages. The first one took place on September 8th and lasted for about an hour. As the Atlassian team posted later on?Atlassian Status?“we experienced requests timing for some of our customers for Atlassian Bitbucket. The issue has been resolved and the service is operating normally.”
The other outage happened later on September 25th and lasted much longer than the previous one – 7 hours and 33 minutes. According to?Attlassian?some customers “using Bitbucket Cloud were unable to access their repositories.” As it turned out this incident was triggered due to the storage vendor’s outage (that Atlassian uses at their data center) caused by a firmware upgrade. However, the Atlassian team detected the incident within 14 minutes, it took hours to resolve the problem.??
August
Atlassian Status for Jira:?5 incidents
Atlassian status for Bitbucket:?2 incidents
Atlassian warns its Bitbucket Server and Data Center users about another RCE vulnerability (9.9/10)
There was another security advisory warning issued by the Atlassian, yet for Bitbucket Server and Data Center users. They tracked a vulnerability, aka CVE-2022-360804 – a security flaw, which received a CVSS severity score of 9.9 out of 10 and needed to be patched immediately. Using this critical vulnerability a threat actor could leverage to execute arbitrary code on vulnerable instances (according to Atlassian this vulnerable security flaw affected all Bitbucket and Data Center versions over 6.10.17, as well as from?7.0.0 to 8.3.0).
Here is the Atlassian advisory commented on the issue: “An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.” Thus, to solve the problem the Atlassian had nothing but applying the available security update or some other mitigations immediately. Remote code execution (RCE) is the most potent of all vulnerability types, enabling crooks to do extensive damage while bypassing security measures, so this motive should be considered here.
July
Atlassian Status for Jira:?9 incidents
Atlassian Status for Bitbucket:?5 incidents
June
Atlassian Status for Jira:?3 incidents
Atlassian status for Bitbucket:?9 incidents
SSRF flaw tracked in Jira could lead to leaked sensitive credentials
Researchers from?Assetnote?tracked a server-side request forgery (SSRF), tracked as CVE-2022-26135, in Jira and Jira Service Management. This vulnerability permitted the attackers “to make requests to arbitrary URLs, with any HTTP method, header and body.”
Later Atlassian explained in its?security advisory: “Depending on the environment the Jira instance is deployed in, the impact of this bug varies. For example, when deployed in AWS, it could leak sensitive credentials.” To solve the issue Atlassian suggested the users, who didn’t have their Jira site accessed via the atlassian.net domain, to update their Jira app, as they could be affected by the mentioned vulnerability.?
Want to find out more? Read our full story here: 2022 In A Nutshell: Atlassian Outages And Vulnerabilities