Atlassian Authentication Bypass

Atlassian has published a security advisory to alert that its Jira and Jira Service Management products are affected by a critical authentication bypass vulnerability in Seraph, the company’s web application security framework.

Seraph is used in Jira and Confluence for handling all login and logout requests via a system of pluggable core elements.

The flaw is tracked as CVE-2022-0540 and comes with a severity rating of 9.9. It allows a remote attacker to bypass authentication by sending a specially crafted HTTP request to vulnerable endpoints.

The affected products are Jira Core Server, Software Data Center, Software Server, the Service Management Server, and the Management Data Center. More specifically, the following versions are impacted:

  • Jira Core Server, Software Server, and Software Data Center before 8.13.18, the 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x, 8.20.x before 8.20.6, and 8.21.x.
  • Jira Service Management Server and Management Data Center before 4.13.18, the 4.14.x, 4.15.x, 4.16.x, 4.17.x, 4.18.x, 4.19.x, 4.20.x before 4.20.6, 4.21.x.

The vulnerability does not impact the cloud versions for Jira and Jira Service Management.

Atlassian specifies that remote attackers can only compromise the impacted products if they use a specific configuration in Seraph, which is detailed as follows:

Although the vulnerability is in the core of Jira, it affects first and third-party apps that specify “roles required” at the “webwork1” action namespace level and do not specify it at an “action” level.

Vulnerable apps

The severity of exploiting CVE-2022-0540 also varies depending on the apps used and whether they use additional permission checks on top of those in Seraph’s configuration.

The two bundled apps affected by the flaw are “Insight – Asset Management” and “Mobile Plugin” for Jira. For a complete list of the affected apps, check the middle section of Atlassian’s advisory.

Affected Jira Versions

This includes the following products:

  • Jira Core Server
  • Jira Software Server
  • Jira Software Data Center
  • All versions before 8.13.18
  • 8.14.x
  • 8.15.x
  • 8.16.x
  • 8.17.x
  • 8.18.x
  • 8.19.x
  • 8.20.x before 8.20.6
  • 8.21.x

Fixed Jira Versions

  • 8.13.x >= 8.13.18
  • 8.20.x >= 8.20.6
  • All versions >= 8.22.0

Third-party apps, like those outside the Atlassian Marketplace or developed in-house by customers, are also impacted if they rely on a vulnerable configuration.

If no impacted apps are used in Jira, then the severity of the vulnerability drops down to medium.

Fix and workarounds

The versions that include the security updates are Jira Core Server, Software Server, and Software Data Center 8.13.x >= 8.13.18, 8.20.x >= 8.20.6, and all versions from 8.22.0 and later.

As for the Jira Service Management, the fixed versions are 4.13.x >= 4.13.18, 4.20.x >= 4.20.6, and 4.22.0 and later.

Users are strongly advised to update to one of the versions above. If this is not possible at this time, Atlassian recommends updating the affected apps to a version that has remediated the risk or disabling the vulnerable apps until patching is possible.

Those using Jira Service Management 4.19.x, and 4.20.x