Critical Security Advisory: Servlet Filter Dispatcher Vulnerability in Multiple Atlassian Products

Summary Multiple Products Security Advisory – Servlet Filter Dispatcher Vulnerabilities
Advisory Release Date Jul 20, 2022 10:00 AM PDT (Pacific Time, -7 hours)
Affected Products
  • Bamboo Server and Data Center
  • Bitbucket Server and Data Center
  • Confluence Server and Data Center
  • Crowd Server and Data Center
  • Fisheye and Crucible
  • Jira Server and Data Center
  • Jira Service Management Server and Data Center
Affected Versions Affected Versions List
Fixed Versions Fixed Versions List
CVE ID(s) CVE-2022-26136, CVE-2022-26137

Summary of Servlet Filter Dispatcher Vulnerability

Servlet Filter Overview

A Servlet Filter is Java code that intercepts and processes HTTP requests before a client request is sent to a back end resource. They’re also used to intercept and process HTTP responses from a back end resource before they’re sent to a client. Some Servlet Filters provide security mechanisms such as logging, auditing, authentication, or authorization.

Arbitrary Servlet Filter Bypass (CVE-2022-26136)

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Only the following attacks have been confirmed:

Authentication bypass. Sending a specially crafted HTTP request can bypass custom Servlet Filters used by third party apps to enforce authentication. A remote, unauthenticated attacker can exploit this to bypass authentication used by third party apps. Please note Atlassian has confirmed this attack is possible, but has not determined a list of all affected apps.

Cross-site scripting (XSS). Sending a specially crafted HTTP request can bypass the Servlet Filter used to validate legitimate Atlassian Gadgets, which can result in cross-site scripting (XSS). An attacker that can trick a user into requesting a malicious URL can execute arbitrary Javascript in the user’s browser.

Additional Servlet Filter Invocation (CVE-2022-26137)

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability:

 

Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions.

Affected Versions

Product Affected Versions
Bamboo Server and Data Center
  • Versions < 8.0.9
  • 8.1.x < 8.1.8
  • 8.2.x < 8.2.4
Bitbucket Server and Data Center
  • Versions < 7.6.16
  • All versions 7.7.x through 7.16.x
  • 7.17.x < 7.17.8
  • All versions 7.18.x
  • 7.19.x < 7.19.5
  • 7.20.x < 7.20.2
  • 7.21.x < 7.21.2
  • 8.0.0
  • 8.1.0
Confluence Server and Data Center
  • Versions < 7.4.17
  • All versions 7.5.x through 7.12.x
  • 7.13.x < 7.13.7
  • 7.14.x < 7.14.3
  • 7.15.x < 7.15.2
  • 7.16.x < 7.16.4
  • 7.17.x < 7.17.4
  • 7.18.0
Crowd Server and Data Center
  • Versions < 4.3.8
  • 4.4.x < 4.4.2
  • 5.0.0
Crucible
  • Versions < 4.8.10
Fisheye
  • Versions < 4.8.10
Jira Server and Data Center
  • Versions < 8.13.22
  • All versions 8.14.x through 8.19.x
  • 8.20.x < 8.20.10
  • All versions 8.21.x
  • 8.22.x < 8.22.4
Jira Service Management Server and Data Center  

  • Versions < 4.13.22
  • All versions 4.14.x through 4.19.x
  • 4.20.x < 4.20.10
  • All versions 4.21.x
  • 4.22.x < 4.22.4

Fixed Versions

Product Fixed Versions
Bamboo Server and Data Center
  • 8.0.x >= 8.0.9
  • 8.1.x >= 8.1.8
  • 8.2.x >= 8.2.4
  • Versions >= 9.0.0
Bitbucket Server and Data Center
  • 7.6.x >= 7.6.16 (LTS)
  • 7.17.x >= 7.17.8 (LTS)
  • 7.19.x >= 7.19.5
  • 7.20.x >= 7.20.2
  • 7.21.x >= 7.21.2 (LTS)
  • 8.0.x >= 8.0.1
  • 8.1.x >= 8.1.1
  • Versions >= 8.2.0
Confluence Server and Data Center
  • 7.4.x >= 7.4.17 (LTS)
  • 7.13.x >= 7.13.7 (LTS)
  • 7.14.x >= 7.14.3
  • 7.15.x >= 7.15.2
  • 7.16.x >= 7.16.4
  • 7.17.x >= 7.17.4
  • 7.18.x >= 7.18.1
  • Versions >= 7.19.0
Crowd Server and Data Center
  • 4.3.x >= 4.3.8
  • 4.4.x >= 4.4.2
  • Versions >= 5.0.1
Crucible
  • Versions >= 4.8.10
Fisheye
  • Versions >= 4.8.10
Jira Server and Data Center
  • 8.13.x >= 8.13.22 (LTS)
  • 8.20.x >= 8.20.10 (LTS)
  • 8.22.x >= 8.22.4
    Note: 8.22.4 contains a high impact non-security bug. Atlassian recommends updating to 8.22.6 or later.
  • Versions >= 9.0.0
Jira Service Management Server and Data Cente
  • 4.13.x >= 4.13.22 (LTS)
  • 4.20.x >= 4.20.10 (LTS)
  • 4.22.x >= 4.22.4
    Note: 4.22.5 contains a security vulnerability. Atlassian recommends updating to 4.22.6 or later.
  • Versions >= 5.0.0

Release Notes

Atlassian recommends that you upgrade to the latest version. For a full description of the latest versions, see the release notes for your product:

Downloads

Workarounds

There are no known workarounds. To remediate this vulnerability, update each affected product installation to a fixed version listed above.

Need Help With This?

Give us a call, or submit a help request here. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.