Atlassian has reportedly released multiple fixes to patch a critical severity authentication vulnerability in its powerful ITSM tool—Jira Service Management Server and Data Center.
Jira Service Management Server and Jira Service Management Data Center run on top of Jira Core and enable future-focused enterprises to connect Dev, IT Ops, and business teams to boost productivity.
Breaking Down the Vulnerability
The broken authentication issue was detected in version 5.3.0, thus affecting all subsequent Jira software versions—from 5.3.0 to 5.3.1 and 5.4.0 to 5.5.0.
Publishing an advisory, Atlassian underscored the flaw as a ‘critical severity’ authentication flaw based on the company’s specific severity code. Tracked as CVE-2023-22501, this authentication bug is rated with a CVSS score of 9.4 by the company.
This authentication bug, if unpatched, could be exploited by threat actors to impersonate authentic users and in specific cases, infiltrate Jira Service Management instances, according to Infosecurity Magazine (reported by PERTI).
“With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to sign-up tokens sent to users with accounts that have never been logged into,” the company explained in its advisory.
“Access to these tokens can be obtained in two cases: If the attacker is included on Jira issues or requests with these users, or if the attacker is forwarded or otherwise gains access to emails containing a ‘View Request’ link from these users,” Atlassian explained.
Once the vulnerability is exploited and followed by a password change, no email notifying the change is sent to the account owner, which makes the detection of the account compromisation really tough.
In the advisory, Atlassian warned users that the bot accounts are more likely to fall prey to attackers.
Until most recently, this authentication bypass issue has not been exploited maliciously in the wild.
Atlassian Urges Admins to Upgrade Their Jira Software
As part of its effort to help admins address the vulnerability, Atlassian, in the above-mentioned directory, has declared the release of patches for Jira versions 5.3.3, 5.4.2, 5.5.1, 5.6.0, and later.
The productivity software giant has urged admins to upgrade to the latest fixed versions of the software to mitigate the authentication flaw before attackers can hold sway over their accounts.
However, for users who cannot upgrade their installations immediately, Atlassian has offered a temporary workaround solution. Atlassian has provided users with a JAR file that can be used to manually update the “service desk-variable-substitution-plugin.”
Admins opting for the latest upgrades can get notified of which accounts had been compromised since deploying the older version.
However, upgrading a software instance is highly disruptive and involves intricate steps. For businesses seeking a smooth upgrade to the latest Jira versions, investing in a high-end Atlassian consultancy service like Automation Consultants is a sensible decision.
By executing periodic security audits of Atlassian products like Jira, Bitbucket, and Confluence, a class-leading consultancy service with Atlassian experts can help teams evaluate the security posture of their Atlassian stack.
Atlassian suggests admins force a password reset on all potentially compromised accounts, for which confirming their email addresses is imperative.
The company recommends users disconnect and shut down the breached server upon detecting a vulnerability in order to limit its extent.
The company confirmed Jira services hosted on Atlassian Cloud via the atlassian.net domain were not impacted by the vulnerability.