Ambientia's response to CVE-2022-0540 (Authentication Bypass in Atlassian Jira)
Incident Report for Ambientia
This incident has been resolved.
Posted May 19, 2022 - 13:06 EEST
On April 20th 2022 at 20:00 EEST, Atlassian has published a critical security advisory affecting majority of on-premise installed Jira-products (Jira Core, Jira Software, Jira Service Desk), excluding only a few of the most recent releases. A remote, unauthenticated attacker could exploit the vulnerability by requesting a specially crafted URL which would then bypass authentication and authorization in certain parts of the application, mainly in the first and third party apps, resulting at least in information disclosure, but also possibly in elevation of privileges.

Although the vulnerability is in the core of Jira (or more specifically in the authentication framework used by Jira, Seraph), it affects first party (provided by Atlassian) and third party (provided via Atlassian Marketplace) apps that use a vulnerable configuration.

We at Ambientia are working hard to secure our customers' environments against this vulnerability. Our primary approach is to mitigate the vulnerability in the short term by upgrading all the affected apps (plugins). In the case that we are not able to upgrade the plugins to a non-vulnerable version (e.g. because the Jira version in the environment in question does not support newer versions of the plugins), we have been upgrading Jira itself to a fixed version, which also provides a long term fix for the issue. We are in direct contact with all the customers who are affected and provide information on what type of approach has been taken now and what actions (if any) need still to be done.

The long term solution to protect against this vulnerability is to do an upgrade to a fixed Jira version, meaning that all customers should be prepared for an upgrade shortly, including those customers whose environments have been temporarily protected by updating the plugins.

We are closely monitoring the situation and are prepared to take additional measures if so required.
Posted Apr 20, 2022 - 20:13 EEST