On April 20th 2022, Atlassian released a security advisory for Jira and Jira Service Management, regarding an authentication bypass vulnerability in its web authentication framework, Jira Seraph.
Please Note: JIRA Cloud customers are NOT affected by this vulnerability.
Summary of this issue CVE-2022-0540
Although the vulnerability is in the core of Jira, it affects first and third-party apps that specify roles-required at the webwork1 action namespace level and do not specify it at an action level. For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks.
Jira on its own is not vulnerable, but having installed plugins that leverage the particular functionality creates the vulnerability. Thus, for an installation to be vulnerable, you must be using a vulnerable version of Jira or Jira Service Management and have one of the specific plugins installed and active. Unfortunately for most users, some of the vulnerable plugins include plugins installed and enabled by default, specifically the Mobile Application for Jira add on.
What is the Issue?
A remote attacker can exploit a vulnerability (CVE-2022-0540) in affected Server and Data Center versions of Jira and Jira Service Management by requesting a specially crafted URL which bypasses authentication and authorization requirements in WebWork actions. Any first or third party applications that specify roles-required at the webwork1 action namespace level and do not specify it at an action level are vulnerable. Atlassian rates this vulnerability as critical.
Which Jira versions are affected?
The affected versions of Jira Core Server, Jira Software Server, and Jira Software Data Center are:
- All versions before 8.13.18
- 8.20.x before 8.20.6
Fixed Jira versions
Which Jira Service Management versions are affected?
The affected versions of Jira Service Management Server and Jira Service Management Data Center are:
- All versions before 4.13.18
- 4.20.x before 4.20.6
Fixed Jira Service Management versions
Which Apps Are Affected with CVE-2022-0540?
Atlassian provided an expandable table for the affected apps in the “Determining which apps are affected” section of the Atlassian advisory notice.
Two of the applications that can result in a vulnerable configuration are Atlassian plugins which are included by default in Jira and Jira service management – Insight Asset Management for Jira Service Management, which has been included in all versions of JSM since version 4.15.0 and Mobile Plugin for Jira which has been included in all 8.x releases of Jira and 4.x releases of Jira Service Management. This means that most users of Jira and Jira Service Management are vulnerable to this security advisory.
What you should do?
Installing a fixed version of Jira or Jira Service Management is the surest way to remediate CVE-2022-0540. Once a fixed version has been installed, all apps in your instance are protected against CVE-2022-0540 and no further action is required. Please reach out to Oxalis if you’re affected by vulnerability and would like assistance.
Not Ready to upgrade, or can’t upgrade quickly?
There are various reasons why you may not be able to quickly upgrade to a fixed version of Jira or Jira Service Management, such as:
- Outdated DB – There are many older platforms that Jira no longer supports, which would block a potential upgrade to the latest version. Check out the list of Atlassian support platforms for the latest versions here.
- Marketplace App compatibility – There are thousands of third party applications in the Atlassian ecosystem, and many systems have at least several downloaded on their system. These Apps usually lag behind the latest Jira versions for compatibility if major changes are made, and need to be reviewed before performing the upgrade.
- Change Management overhead – Many organizations have a robust change management process in place which may cause a delay in a system upgrade. While we do recommend having a robust change management process in place, there must be bypasses specifically for situations such as this security vulnerability.
If you cannot upgrade Jira or Jira Service Management, you can take one of the following actions –
- Upgrade vulnerable plugins to non-impacted versions.
- Disable vulnerable plugins – note that this will remove provided functionality and should be considered a worst-case option. For JSM, disabling Insight Asset Management may have the further impact of removing all service management functionality.
How to avoid future risks?
Migrate to Atlassian Cloud
At the beginning of 2021, Atlassian announced their journey to cloud, showing their dedication to the Cloud products and services. Even though they will be decommissioning their Server offering, their Data Center platform will continue to be supported. There are many considerations to take into account before deciding to migrate to Atlassian Cloud, but it is certainly worth considering, as it is clear that Atlassian is focusing their efforts towards the Cloud.
- Not a Lift-and-Shift – Migrating from Server/Data Center to Atlassian Cloud is not simply a lift-and-shift effort. There are many differences between the on-premise and cloud versions of Atlassian’s applications, along with differences in the Marketplace Apps. A short discovery effort is recommended to plan and map your migration effort to ensure success. You can learn more about our migration approach here.
- Compliance – It’s possible Atlassian Cloud may not meet your compliance needs. Currently, Atlassian Cloud does NOT meet the following compliance standards:
- FedRAMP Moderate
- NIST 800.53
- Review Atlassian’s cloud roadmap to see when they plan on meeting these compliance standards.
- Trust – Atlassian’s team is dedicated to keeping the trust of their customers, and has you covered. Review information about security, reliability, privacy, and compliance for their products and services here.
Stay Up To Date
Staying on the most recent version continues to be the best strategy. With stability, it can be easy to end up just staying with what works and getting out of date. For Oxalis customers on Server and Data center versions of Atlassian products, we perform regular updates which in this case means users were on fixed versions since February, 2022
Build Security at Depth
While implementing zero trust architectures can be challenging, choosing architectural patterns that allows for isolation and segmentation of infrastructure components provides both reduced blast radius and limits exploitation.
Recommended blog posts
- DevSecOps Security Best practices
- Insight for Jira Service Management – Webinar [ON-DEMAND]
- Jira Buyer’s Version Comparison Guide: Which Do I Need? | Jira pricing, features and more.
We are here to help
If you need help understanding if you’re at risk with CVE-2022-0540, hardening your existing infrastructure, are looking for ongoing maintenance help, or want to move to a more compliant infrastructure, our award winning team is here to help. As a group of technology consultants and product leaders that operate in various high-compliant industries, Oxalis has a strong focus on security. We don’t just care when vulnerabilities occur, it’s a key piece of how we operate as a firm.