Atlassian makes the headlines again. After the disclosure of Confluence’s Romote-code execution vulnerability (CVE-2022-26134), Atlassian has released multiple security advisories of critical vulnerabilities. Together with the CVE-2022-26138 announcement, an advisory for two vulnerabilities – CVE-2022-26136 and CVE-2022-26137 – was also released.
While CVE-2022-26134 and CVE-2022-26138 affect only the Confluence app, these new CVEs affect multiple products of Atlassian, so it undoubtedly expands the attack surface against Atlassian customers.
Since not much technical information has been provided by Atlassian yet, let’s explore what we already know.
What are CVE-2022-26136 and CVE-2022-26137?
CVE-2022-26136 and CVE-2022-26137 (official advisory here) are vulnerabilities in the implementation of Java Servlet Filters within Atlassian products.
First, Servlets are the Java programs that run on a web server or application server. They are used to handle and process requests obtained from the webserver and create a response.
This concept is relevant for Atlassian customers because Java Servlets can be used in order to deploy apps. Apps, formerly called add-ons or plugins, are software that can change or extend Atlassian’s products’ functionalities.
Atlassian allows its customers to deploy Java Servlets applications in their plugins for their own purposes.
Another common concept for Java programmers is Servlet Filters. A filter is used as part of the Servlet programming and it is practically a piece of code that is executed before (preprocessing) or after (postprocessing) a request. It means, that the filter is rather a “wrapper” of the servlet. It intercepts HTTP requests and used for various purposes such as authentication or authorization enforcing, encryption, logging, and auditing, etc.
Now, let’s go back to our CVEs.
They both relate to the Servlet Filter mechanism but in different ways.
CVE-2022-26136 is a bypass vulnerability that allows an unauthenticated attacker to bypass a Filter invocation for first and third-party apps. Since servlet filters can be used for wide range of purposes, Atlassian could not enumerate all possible consequences. Although two major attacks were mentioned by Atlassian in the advisory – Authentication bypass and Cross-site Scripting (XSS).
If a servlet filter is used as an authentication filter for an application, an unauthenticated attacker can possibly exploit the vulnerability to bypass the filter.
If a servlet filter is used to validate Atlassian Gadgets, exploitation of the vulnerability may result in a successful XSS attack.
The second vulnerability – CVE-2022-26137 – could result in the invocation of an additional servlet filter by a malicious actor. Atlassian fixed the only security issue that they could detect, which is Cross-origin resource sharing (CORS) bypass. The attacker could lead to the invocation of an unexpected Servlet Filter that could be used to respond to CORS requests, resulting in bypassing the restrictions of the CORS mechanism.
Do they affect me?
If you purchased one of Atlassian on-premise products, you are probably vulnerable in some way.
The following products are vulnerable to the CVEs:
- Bamboo Server and Data Center
- Bitbucket Server and Data Center
- Confluence Server and Data Center
- Crowd Server and Data Center
- Fisheye and Crucible
- Jira Server and Data Center
- Jira Service Management Server and Data Center
Have they been actively exploited in the wild?
Until now, there is no indication of exploitation of these CVEs in the wild, but as we saw with past critical Atlassian issues, threat actors will probably leverage these CVEs for their malicious activities.
How to fix CVE-2022-26136 and CVE-2022-26137?
If you operate one of the affected products, please review the affected versions in the advisory.
Please note, that there is no workaround found yet, and it is most recommended to patch for the fixed versions.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- https://vulcan.io/blog/the-most-common-cves-and-how-to-fix-them/
- https://vulcan.io/blog/fixing-cve-2021-34527/
- https://mitremapper.voyager18.io/
- https://cyber-risk-community.slack.com/ssb/redirect
- https://vulcan.io/remedy-cloud/
And finally…
Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.