Multiple Products Security Advisory - CVE-2022-26136, CVE-2022-26137

Articles

On this page

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Summary

Servlet Filter Dispatcher Vulnerabilities in Multiple Products

Advisory Release Date

10:00 AM PDT (Pacific Time, -7 hours)

Affected Products

  • Bamboo Server and Data Center

  • Bitbucket Server and Data Center

  • Confluence Server and Data Center

  • Crowd Server and Data Center

  • Fisheye and Crucible

  • Jira Server and Data Center

  • Jira Service Management Server and Data Center

Atlassian Cloud sites are not affected.

Fixes have been deployed to Atlassian Cloud sites. If your Atlassian site is accessed via a bitbucket.org or an atlassian.net domain, it is an Atlassian Cloud site.

CVE ID(s)

CVE-2022-26136
CVE-2022-26137

Summary of Vulnerabilities

Servlet Filter Overview

A Servlet Filter is Java code that intercepts and processes HTTP requests before a client request is sent to a back end resource. They’re also used to intercept and process HTTP responses from a back end resource before they’re sent to a client. Some Servlet Filters provide security mechanisms such as logging, auditing, authentication, or authorization.

Arbitrary Servlet Filter Bypass (CVE-2022-26136)

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. Atlassian has not exhaustively enumerated all potential consequences of this vulnerability, and has only confirmed the attacks listed below. Please note that Atlassian has released updates that fix the root cause for all products affected by this vulnerability, including any first or third party apps installed on each product.

Authentication bypass. Sending a specially crafted HTTP request can bypass custom Servlet Filters used by third party apps to enforce authentication. A remote, unauthenticated attacker can exploit this to bypass authentication used by third party apps. Please note Atlassian has confirmed this attack is possible, but has not determined a list of all affected apps.

Cross-site scripting (XSS). Sending a specially crafted HTTP request can bypass the Servlet Filter used to validate legitimate Atlassian Gadgets, which can result in cross-site scripting (XSS). An attacker that can trick a user into requesting a malicious URL can execute arbitrary Javascript in the user’s browser.

Additional Servlet Filter Invocation (CVE-2022-26137)

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability:

Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions.

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Affected Versions

Product

Affected Versions

Bamboo Server and Data Center

  • Versions < 7.2.9

  • 8.0.x < 8.0.9

  • 8.1.x < 8.1.8

  • 8.2.x < 8.2.4

(warning) 7.2.9 is not affected, but it contains an unrelated non-security bug. Refer to the fixed versions section below for more information.

Bitbucket Server and Data Center

  • Versions < 7.6.16

  • All versions 7.7.x through 7.16.x

  • 7.17.x < 7.17.8

  • All versions 7.18.x

  • 7.19.x < 7.19.5

  • 7.20.x < 7.20.2

  • 7.21.x < 7.21.2

  • 8.0.0

  • 8.1.0

Confluence Server and Data Center

  • Versions < 7.4.17

  • All versions 7.5.x through 7.12.x

  • 7.13.x < 7.13.7

  • 7.14.x < 7.14.3

  • 7.15.x < 7.15.2

  • 7.16.x < 7.16.4

  • 7.17.x < 7.17.4

  • 7.18.0

Crowd Server and Data Center

  • Versions < 4.3.8

  • 4.4.x < 4.4.2

  • 5.0.0

Crucible

  • Versions < 4.8.10

Fisheye

  • Versions < 4.8.10

Jira Server and Data Center

  • Versions < 8.13.22

  • All versions 8.14.x through 8.19.x

  • 8.20.x < 8.20.10

  • All versions 8.21.x

  • 8.22.x < 8.22.4
    (warning) 8.22.4 is not affected, but it contains an unrelated non-security bug. Refer to the fixed versions section below for more information.

Jira Service Management Server and Data Center

  • Versions < 4.13.22

  • All versions 4.14.x through 4.19.x

  • 4.20.x < 4.20.10

  • All versions 4.21.x

  • 4.22.x < 4.22.4

Fixed Versions

Product

Fixed Versions

Bamboo Server and Data Center

  • 7.2.x >= 7.2.9

  • 8.0.x >= 8.0.9

  • 8.1.x >= 8.1.8

  • 8.2.x >= 8.2.4

  • Versions >= 9.0.0

Bitbucket Server and Data Center

  • 7.6.x >= 7.6.16 (LTS)

  • 7.17.x >= 7.17.8 (LTS)

  • 7.19.x >= 7.19.5

  • 7.20.x >= 7.20.2

  • 7.21.x >= 7.21.2 (LTS)

  • 8.0.x >= 8.0.1

  • 8.1.x >= 8.1.1

  • Versions >= 8.2.0

Confluence Server and Data Center

  • 7.4.x >= 7.4.17 (LTS)

  • 7.13.x >= 7.13.7 (LTS)

  • 7.14.x >= 7.14.3

  • 7.15.x >= 7.15.2

  • 7.16.x >= 7.16.4

  • 7.17.x >= 7.17.4

  • 7.18.x >= 7.18.1

Crowd Server and Data Center

  • 4.3.x >= 4.3.8

  • 4.4.x >= 4.4.2

  • Versions >= 5.0.1

Crucible

  • Versions >= 4.8.10

Fisheye

  • Versions >= 4.8.10

Jira Server and Data Center

  • 8.13.x >= 8.13.22 (LTS)

  • 8.20.x >= 8.20.10 (LTS)

  • 8.22.x >= 8.22.4
    (warning) 8.22.4 contains a high impact non-security bug. Atlassian recommends updating to the latest version (currently 8.22.6).

  • Versions >= 9.0.0

Jira Service Management Server and Data Center

  • 4.13.x >= 4.13.22 (LTS)

  • 4.20.x >= 4.20.10 (LTS)

  • 4.22.x >= 4.22.4
    (warning) 4.22.5 contains a security vulnerability. Atlassian recommends updating to the latest version (currently 4.22.6).

  • Versions >= 5.0.0

Release Notes

Atlassian recommends that you upgrade to the latest version. For a full description of the latest versions, see the release notes for your product:

Downloads

Workarounds

There are no known workarounds. To remediate this vulnerability, update each affected product installation to a fixed version listed above.

Acknowledgements

Atlassian would like to thank Khoadha of Viettel Cyber Security for finding and reporting this vulnerability.

Frequently Asked Questions

We’ll update the FAQ for CVE-2022-26136 / CVE-2022-26137 with answers for commonly asked questions.

Related Tickets

Support

If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.

If you have questions or concerns regarding this advisory, raise a support request at https://support.atlassian.com/.

References

Security Bug Fix Policy

As per our new policy high security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy .  We will release new maintenance releases for the versions covered by the policy instead of binary patches.

Binary patches are no longer released. 

Severity Levels for Security Issues

Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.

Atlassian Support End of Life Policy

 Our end of life policy varies for different products. Please refer to our EOL Policy for details. 

Last modified on Jul 25, 2022

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.