Security researchers from the software company 42 revealed a vulnerability in the Atlassian OAuth plugin last year that enabled unauthorized execution of HTTP GET requests from the server.
Though the bug was fixed in March 2017, it is still leaving major companies at risk. According to security researcher Robbie Wiggins, the vulnerable OAuth plugin can be found in software like Jira and Confluence, and if it is hosted on AWS it can retrieve metadata and in some cases the IAM role AWS keys. In addition, Wiggins explained hackers could also retrieve a root password or a token depending on the setup.
The reason why this bug still poses a danger after months of disclosure is because companies are not updating their Atlassian software. “This vulnerability is not new and was fixed in March 2017,” a spokesperson from Atlassian said. “As always, we recommend that our customers upgrade to the most recent version of our server products to ensure they have the latest features and fixes. In this case, it’s especially important for those customers who host Atlassian server products on AWS cloud instances. This vulnerability does not impact customers using cloud versions of Atlassian products, those who upgraded server versions, and those that do not host server versions on AWS cloud. We encourage security researchers to submit vulnerabilities to our public bug bounty program.”
According to 42 researchers, servers typically live on an internal network so if you can guess the name of an HTTP resource on the network, you will be able to access it. Additionally, this vulnerability could be used to phish for login credentials by accessing a spoofed login page though that URL. This can be used to serve untrustworthy content via a trusted domain.
“Part of the challenge with leveraging third party software is that you are outsourcing the security expertise and data ownership to another company,” said Tyler Koblasa, CEO of CloudApp. “This can be an incredible relief, but it can also present a number of challenges. Any time an event like the Jira bug occurs, it’s a realization to companies that they are not always safe because another party tells them they are.”
The vulnerability, CVE-2017-9506, only affects version 1.3.0 to 1.9.12 and also version 2.0.0 to 2.0.4 of the Atlassian OAuth Plugin.
The 42 researchers advises administrators to upgrade to a later version of the product, since the vulnerability has been addressed and fixed in recent versions.
“The GDPR is forcing the hand of US-based companies to adapt more similar best practices for data compliance and ownership,” said Koblasa. “The idea of hiring a Chief Security or Compliance Officer is relatively new, but gaining popularity at even the earliest startups. By having a member of your team, either an internal CSO or external security consultant, dedicated to software security, your organization can ensure that the tools employees use are up to date and leverage the latest security updates.”