一、漏洞概述
近日,绿盟科技CERT监测到Atlassian官方发布安全公告,修复了Atlassian产品中的多个高危漏洞,请相关用户采取措施进行防护。
任意Servlet过滤器绕过漏洞(CVE-2022-26136):
Atlassian的多个产品中存在漏洞允许未经身份验证的远程攻击者绕过第一方和第三方应用程序所使用的Servlet过滤器。具体的影响取决于应用程序使用的过滤器种类与使用方式,此漏洞可能导致身份验证绕过和XSS,具体情况如下:
Atlassian Servlet 过滤器中的缺陷可造成身份验证绕过,未经身份验证的远程攻击者通过发送特制的HTTP请求,该请求可以绕过第三方应用程序中使用的自定义Servlet过滤器。
Atlassian Servlet Filter中的缺陷还可造成XSS漏洞,未经身份验证的远程攻击者通过发送特制的HTTP请求,该请求可以绕过用于验证合法Atlassian Gadget的 Servlet过滤器,这可能导致XSS漏洞。攻击者可以诱导用户点击恶意的URL,最终实现在用户的浏览器中任意执行Javascript代码。
Servlet过滤器调用漏洞(CVE-2022-26137):
Atlassian的多个产品中存在Servlet过滤器调用漏洞,未经身份验证的远程攻击者在处理请求或响应程序时会调用额外的Servlet过滤器,攻击者可发送特制的HTTP请求实现对跨域资源共享 (CORS) 绕过。攻击者可以诱导用户点击恶意的URL,最终实现以受害者权限对受影响的应用程序进行访问。
Atlassian Confluence硬编码漏洞(CVE-2022-26138):
当Confluence Server或Data Center上的Questions for Confluence app启用时,它会创建一个名为disabledsystemuser的Confluence用户帐户。此帐户旨在帮助将数据从应用程序迁移到 Confluence Cloud的管理员账号中。该帐户通过使用硬编码密码创建并添加到confluence-users组中,在默认情况下允许查看和编辑 Confluence 中的所有非受限页面。未经身份验证攻击者可以利用所知的硬编码密码登录Confluence并访问该组有权限访问的所有页面。
参考链接:
https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html
二、影响范围
受影响版本
CVE-2022-26136/CVE-2022-26137
Bamboo Server and Data Center:
- Bamboo Server and Data Center < V7.2.9
- 0.0 <= Bamboo Server and Data Center < V8.0.9
- 1.0 <= Bamboo Server and Data Center < V8.1.8
- 2.0 <= Bamboo Server and Data Center < V8.2.4
Bitbucket Server and Data Center:
- Bitbucket Server and Data Center < V7.6.16
- Bitbucket Server and Data Center V7.7.x-V7.16.x 内全部版本
- 17.0 <= Bitbucket Server and Data Center < V7.17.8
- Bitbucket Server and Data Center V7.18.x 内全部版本
- 19.0 <= Bitbucket Server and Data Center < V7.19.5
- 20.0 <= Bitbucket Server and Data Center < V7.20.2
- 21.0 <= Bitbucket Server and Data Center V7.21.2
- Bitbucket Server and Data Center V8.0.0
- Bitbucket Server and Data Center V8.1.0
Confluence Server and Data Center:
- Confluence Server and Data Center < V7.4.17
- Confluence Server and Data Center V7.5.x-V7.12.x内全部版本
- 13.0 <= Confluence Server and Data Center < V7.13.7
- 14.0 <= Confluence Server and Data Center V7.14.3
- 15.0 <= Confluence Server and Data Center V7.15.2
- 16.0 <= Confluence Server and Data Center V7.16.4
- 17.0 <= Confluence Server and Data Center V7.17.4
- Confluence Server and Data Center V7.18.0
Crowd Server and Data Center:
- Crowd Server and Data Center < V4.3.8
- 4.0 <= Crowd Server and Data Center < V4.4.2
- Crowd Server and Data Center V5.0.0
Crucible:
- Crucible < V4.8.10
Fisheye:
- Fisheye < V4.8.10
Jira Server and Data Center:
- Jira Server and Data Center < V8.13.22
- Jira Server and Data Center V8.14.x-V8.19.x内全部版本
- 20.0 <= Jira Server and Data Center < V8.20.10
- Jira Server and Data Center V8.21.x 内全部版本
- 22.0 <= Jira Server and Data Center < V8.22.4
Jira Service Management Server and Data Center:
- Jira Service Management Server and Data Center < V4.13.22
- Jira Service Management Server and Data Center V4.14.x-V4.19.x内全部版本
- 20.0 <= Jira Service Management Server and Data Center < V4.20.10
- Jira Service Management Server and Data Center V4.21.x 内全部版本
- 22.0 <= Jira Service Management Server and Data Center < V4.22.4
CVE-2022-26138
- Confluence V2.7.34
- Confluence V2.7.35
- Confluence V3.0.2
不受影响版本
Bamboo Server and Data Center:
- Bamboo Server and Data Center >= 7.2.9
- Bamboo Server and Data Center >= 8.0.9
- Bamboo Server and Data Center >= 8.1.8
- Bamboo Server and Data Center >= 8.2.4
- Bamboo Server and Data Center >= 9.0.0
Bitbucket Server and Data Center:
- Bitbucket Server and Data Center >= 7.6.16 (LTS)
- Bitbucket Server and Data Center >= 7.17.8 (LTS)
- Bitbucket Server and Data Center >= 7.19.5
- Bitbucket Server and Data Center >= 7.20.2
- Bitbucket Server and Data Center >= 7.21.2 (LTS)
- Bitbucket Server and Data Center >= 8.0.1
- Bitbucket Server and Data Center >= 8.1.1
- Bitbucket Server and Data Center >= 8.2.0
Confluence Server and Data Center:
- Confluence Server and Data Center >= 7.4.17 (LTS)
- Confluence Server and Data Center >= 7.13.7 (LTS)
- Confluence Server and Data Center >= 7.14.3
- Confluence Server and Data Center >= 7.15.2
- Confluence Server and Data Center >= 7.16.4
- Confluence Server and Data Center >= 7.17.4
- Confluence Server and Data Center >= 7.18.1
Crowd Server and Data Center:
- Crowd Server and Data Center >= 4.3.8
- Crowd Server and Data Center >= 4.4.2
- Crowd Server and Data Center >= 5.0.1
Crucible:
- Crucible >= 4.8.10
Fisheye
- Fisheye >= 4.8.10
Jira Server and Data Center:
- Jira Server and Data Center >= 8.13.22 (LTS)
- Jira Server and Data Center >= 8.20.10 (LTS)
- Jira Server and Data Center >= 8.22.4
Jira Service Management Server and Data Center:
- Jira Service Management Server and Data Center >= 4.13.22 (LTS)
- Jira Service Management Server and Data Center >= 4.20.10 (LTS)
- Jira Service Management Server and Data Center >= 4.22.4
Confluence:
- Confluence >= 2.7.38 (与Confluence 6.13.18到16.2兼容)
- Confluence >= 3.0.5 (与Confluence 7.16.3及更高版本兼容)
三、漏洞防护
3.1 官方升级
目前官方已在最新版本中修复了该漏洞,请受影响的用户尽快升级版本进行防护,官方下载链接如下:
受影响产品 | 安全版本链接 |
Bamboo Server and Data Center | https://www.atlassian.com/software/bamboo/download |
Bitbucket Server and Data Center | https://www.atlassian.com/software/bitbucket/download-archives |
Confluence Server and Data Center | https://www.atlassian.com/software/confluence/download-archives |
Crowd | https://www.atlassian.com/software/crowd/download/data-center |
Crucible | https://www.atlassian.com/software/crucible/download |
Fisheye | https://www.atlassian.com/software/fisheye/download |
Jira Service Management Server and Data Center | https://www.atlassian.com/software/jira/service-management/download-archives |
Jira Software Server and Data Center | https://www.atlassian.com/software/jira/download-archives |
Confluence | https://confluence.atlassian.com/upm/updating-apps-273875710.html |
3.2 临时防护措施
若相关用户暂时无法进行升级操作,针对Atlassian Confluence硬编码漏洞(CVE-2022-26138)可通过禁用或删除disabledsystemuser帐户来缓解该问题,具体操作步骤请参考链接: https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html
声明
本安全公告仅用来描述可能存在的安全问题,绿盟科技不为此安全公告提供任何保证或承诺。由于传播、利用此安全公告所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,绿盟科技以及安全公告作者不为此承担任何责任。
绿盟科技拥有对此安全公告的修改和解释权。如欲转载或传播此安全公告,必须保证此安全公告的完整性,包括版权声明等全部内容。未经绿盟科技允许,不得任意修改或者增减此安全公告内容,不得以任何方式将其用于商业目的。