Key Takeaways

• CERT-In’s August 2024 bulletin emphasizes the urgent need for organizations to update their Atlassian products due to critical vulnerabilities. Prompt patch application is essential to address these high-severity issues and mitigate risks. 

• The vulnerabilities uncovered span a range of severe risks, including arbitrary code execution, cross-site scripting (XSS), and privilege escalation. These affect multiple Atlassian products, such as Bamboo, Confluence, and Jira, posing significant security threats. 

• Critical vulnerabilities are linked to specific versions of Atlassian software: Bamboo versions prior to 9.6.5, Confluence versions before 8.9.5, Crowd versions below 5.3.2, Jira versions older than 9.17.1, and Jira Service Management versions before 5.17.1.  

• Notable vulnerabilities include CVE-2024-21689 in Bamboo, which affects both Data Center and Server versions, and CVE-2024-37768 in Jira, which could enable unauthorized users to gain elevated permissions.  

• Issues with resource management in integrated libraries, such as Bouncy Castle, could lead to performance degradation or service disruptions. Upgrading to the latest versions of these libraries is crucial for maintaining system stability. 

• Vulnerabilities in components like Apache Tomcat affect many Atlassian products, with potential impacts including service disruptions and system integrity breaches. Regular updates to these components are necessary to prevent exploitation. 

• Critical vulnerabilities in Confluence could expose sensitive data, including internal communications and documents. Organizations must update their systems to protect against potential data breaches. 

• The exploitation of past vulnerabilities highlights the need for continuous security monitoring. Regular security assessments, prompt patching, and proactive measures are essential for protecting against both new and existing threats. 

Overview 

CERT-In has added multiple critical Atlassian vulnerabilities to its catalog following the disclosure by the organization in its August 2024 Security Bulletin. These vulnerabilities  

target a range of Atlassian products, including Bamboo, Confluence, and more. This analysis aims to thoroughly examine these vulnerabilities, detailing their potential impacts, associated risks, and recommended mitigation strategies. 

The August 2024 Security Bulletin from Atlassian addresses 9 high-severity vulnerabilities that have been fixed in recent product updates. These vulnerabilities were identified through the company’s Bug Bounty program, penetration testing, and third-party library scans. 

The organization denoted that the vulnerabilities listed in this August 2024 bulletin are less critical compared to those found in Critical Security Advisories, which may require immediate patches outside of the regular monthly schedule. 

Multiple Atlassian Vulnerabilities Targets Products and Services 

CERT-In’s Vulnerability Note CIVN-2024-0258, issued on August 21, 2024, highlights multiple high-severity vulnerabilities across various Atlassian products, including Bamboo Data Center and Server, Confluence Data Center and Server, Crowd Data Center and Server, Jira Data Center and Server, and Jira Service Management Data Center and Server.  

These vulnerabilities, affecting versions prior to 9.6.5 for Bamboo, 8.9.5 for Confluence, 5.3.2 for Crowd, 9.17.1 for Jira, and 5.17.1 for Jira Service Management, could enable attackers to execute arbitrary code, perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks, exploit server-side request forgery (SSRF), access sensitive information, or cause denial of service (DoS).  

CVE-2024-21689: High-Risk Vulnerability in Atlassian Bamboo 

Atlassian Bamboo, a popular continuous integration and deployment tool, has been identified with a severe vulnerability cataloged as CVE-2024-21689. This flaw affects both the Bamboo Data Center and Bamboo Server versions, posing a risk to organizations that rely on these platforms for their CI/CD pipelines. 

The vulnerability in question relates to a critical functionality within Bamboo, although specific details about the nature of the flaw remain somewhat limited. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.6, categorizing it as high-risk. Given Bamboo’s central role in automating software development and deployment processes, the potential impact of this vulnerability is substantial. Exploiting this flaw could lead to unauthorized access, data breaches, or disruptions in deployment workflows. 

To mitigate the associated risks, organizations using affected versions of Bamboo are strongly advised to upgrade to the latest release. Atlassian has addressed this issue in recent updates, which include critical security patches to close the identified vulnerabilities. 

CVE-2024-29857: Resource Exhaustion Vulnerability in Bouncy Castle 

Bouncy Castle, a widely-used cryptographic library that integrates with various Atlassian products, has been identified with a notable vulnerability cataloged as CVE-2024-29857. This flaw impacts Bouncy Castle versions up to 1.77 and is related to handling limited resources within the library. The nature of this vulnerability can lead to resource exhaustion, which may disrupt service operations or degrade performance. 

Organizations using Bouncy Castle in their Atlassian environments should prioritize upgrading to version 1.78, including essential fixes to address resource exhaustion. Upgrading to the latest version will help ensure the cryptographic library functions efficiently and securely within integrated systems. 

CVE-2024-34750: Vulnerability in Apache Tomcat Affecting Atlassian Products 

Apache Tomcat, a popular open-source implementation of Java Servlets, is another component affected by critical vulnerabilities relevant to Atlassian products. The vulnerability cataloged as CVE-2024-34750 impacts Apache Tomcat versions 9.0.89, 10.1.24, and 11.0.0-M20. Specifically, this flaw pertains to the HTTP2 Stream Handler component, which is responsible for managing HTTP/2 connections. 

The Common Vulnerability Scoring System (CVSS) for this vulnerability is 7.5, categorizing it as a moderate risk. The potential impact of this flaw includes service disruptions and potential compromise of system integrity. Given that Apache Tomcat serves as a critical component for web applications and services in many Atlassian products, this vulnerability represents a significant security concern. 

Organizations should upgrade to Apache Tomcat versions 9.0.90, 10.1.25, or 11.0.0-M21 to address this issue. These versions contain security patches and updates that mitigate the identified vulnerability. By applying these updates, organizations can enhance the stability and security of their web application environments, reducing the risk of exploitation. 

CVE-2024-37768: Privilege Escalation in Atlassian Jira 

Atlassian Jira, a leading issue and project tracking tool, has also been affected by a critical vulnerability cataloged as CVE-2024-37768. This flaw presents a privilege escalation issue, potentially allowing unauthorized users to gain elevated permissions within the Jira system. The vulnerability affects several versions of Jira, making it a widespread concern for organizations that utilize this tool for project management and tracking. 

The Common Vulnerability Scoring System (CVSS) for CVE-2024-37768 is 9.1, indicating a high level of risk. Exploitation of this privilege escalation flaw could lead to unauthorized access to sensitive information, unauthorized modifications to projects, or disruption of project management workflows. 

To address this vulnerability, organizations must upgrade to the latest versions of Jira. Atlassian has released security patches and updates to remediate this issue, ensuring that users with appropriate privileges are properly authenticated and authorized. Implementing these updates will help secure Jira environments against potential cyber attacks and maintain the integrity of project management processes. 

CVE-2024-40859: Information Disclosure in Atlassian Confluence 

Confluence, another widely-used Atlassian product, has been identified with a vulnerability cataloged as CVE-2024-40859. This vulnerability is related to information disclosure, which could potentially expose sensitive data to unauthorized individuals. The affected versions of Confluence include several releases, making it a critical issue for organizations that rely on Confluence for collaborative work and knowledge management. 

The Common Vulnerability Scoring System (CVSS) for this vulnerability is 7.5, categorizing it as high-risk. The potential impact of this information disclosure flaw includes unauthorized access to confidential documents, internal communications, and other sensitive information.  

Previous Instances of Exploitation 

Apart from these Atlassian vulnerabilities, the organization faced exploitation from a previous RCE vulnerability (CVE-2023-22527). In January 2024, Cyble Research and Intelligence (CRIL) Labs reported about this critical flaw. CRIL reported that active exploitation attempts of this vulnerability began on January 26, 2024.  

Cyble’s Global Sensor Intelligence (CGSI) network observed scanning activities targeting Confluence instances in various countries, including the United States, Germany, and China. Over 4,000 exposed Confluence instances were identified, with significant numbers in the U.S., Germany, China, and Russia. 

To address the vulnerability, Atlassian recommended updating Confluence Data Center and Server to the latest versions: 8.5.5 (LTS) or 8.7.2 for Data Center only. Organizations were advised to conduct regular security audits, apply patches promptly, and implement network segmentation to mitigate risks. 

The vulnerability stemmed from flaws in the text-inline.vm velocity template, which allowed attackers to bypass security constraints and execute OGNL expressions beyond the standard 200-character limit. Additional information was provided through Atlassian’s security advisory and resources from cybersecurity experts like Picus Security and ProjectDiscovery. 

Mitigation Strategies and Recommendations 

To address the vulnerabilities identified in Atlassian products, organizations should begin by upgrading to the latest versions of the software. These updates include essential security patches and fixes for the vulnerabilities in question. It is crucial for organizations to regularly check for and apply these updates promptly to maintain protection against potential threats. 

In addition to software updates, implementing comprehensive security best practices is essential. Organizations should monitor for unusual activities, configure robust access controls, and enforce strong authentication mechanisms to enhance their overall security posture. These measures help prevent unauthorized access and mitigate the risk of exploitation. 

Regular security assessments and vulnerability scans are also recommended to proactively identify and address potential security issues. Engaging with security professionals for periodic reviews can provide valuable insights and help organizations stay ahead of emerging threats. 

Staff education and training play a vital role in maintaining security. Ensuring that employees are aware of the risks associated with vulnerabilities and are knowledgeable about best practices for using Atlassian products can significantly reduce the likelihood of security breaches. 

Lastly, organizations should establish effective backup and recovery plans. These plans are critical for safeguarding against data loss and ensuring business continuity in the event of a security incident or exploitation of vulnerabilities. By preparing for potential issues, organizations can quickly recover and minimize disruptions. 

Conclusion 

The recent cataloging of critical Atlassian vulnerabilities by CERT-In highlights the urgent need for organizations to prioritize security updates. The August 2024 bulletin revealed significant flaws across various Atlassian products, each posing substantial risks such as unauthorized access, service disruptions, and data exposure. While these vulnerabilities are severe, they are manageable with timely updates and robust security practices. 

Organizations are advised to promptly upgrade their affected systems, apply the necessary patches, and implement comprehensive security measures. Regular assessments and proactive patch management will help safeguard against these vulnerabilities and strengthen overall security posture, ensuring resilience against potential threats and maintaining operational integrity. 

Related