Jira Align cloud instances fail a Third-Party Security check for cookies not having the secure attribute
Summary
A Third-Party security scan of a customer Jira Align cloud instance returned a High-Security Risk for: Cookie Does Not Contain The "secure" Attribute
The report indicated the risk was:
CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Environment
Jira Align
Diagnosis
A get request to the instance returns that the Set-Cookie line against the AWS Load Balancer (AWSALB) does not include activating the secure attribute. The same report may show that while it was missing for AWSALB the secure attribute was set for AWSAWSALBCORS
Cause
The following information was provided by the Jira Align Developers:
AWS does not support adding or changing the attributes for the Application Load Balancer (AWSALB) cookies. The contents of the load balancer-generated cookies are encrypted with a rotating key and cannot be decrypted or modified. Regardless, the AWSALB cookies do not contain sensitive information and their sole purpose is to determine the request’s backend destination when stickiness is enabled
Solution
Cookies for AWSLAB will always lack the Secure attribute as AWS does not support changing attributes for the AWS Load Balancer. Additionally, the content of the cookies is encrypted and does not contain sensitive information, which means the Secure attribute is not required
Customers will need to record an exception for the vulnerability (for Jira Align and specifically the Load AWS Load Balancer) against running future security scans.
Related Content:
CWE - CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (4.13)