DEV Community

Cover image for 2022 In A Nutshell: Atlassian Outages And Vulnerabilities
GitProtect Team for GitProtect

Posted on • Originally published at gitprotect.io

2022 In A Nutshell: Atlassian Outages And Vulnerabilities

The Year 2022 definitely wasn’t the best year for Jira and Bitbucket users in history. Atlassian outages, warnings about data breaches, being on the first lines of media are all about Atlassian this year. So, let’s analyze Atlassian Status and different media alerts to see what really happened to this giant cloud service provider.

December 2022

Atlassian Status for Jira: 2 incidents
Atlassian status for Bitbucket: 3 incidents

Security flaw noticed in Atlassian can lead to taking over hundreds of Jira accounts

The researchers from CloudSEK noticed a vulnerable flaw in such Atlassian products as Jira, Confluence, and Bitbucket. They stated that threat actors can use this flaw to take over a company’s Jira account. The problem was hidden in cookies which were invalidated, even if the user changed the password, with 2FA enabled. According to those security researchers the reason hid in the cookie validity, which is 30 days, as they only expire at the moment when the user logs out, or after 30 days.

At the same time, Atlassian security team had its own investigation into unauthorized access of a customer’s Cloud account, which took place in December and triggered the buzz in the network. As it turned out during the investigation, it was an isolated case caused by malware on the customer’s computer: “This incident was in no way caused by a vulnerability in Atlassian products or a compromise of Atlassian systems.”

For those Cloud customers who have some concerns about the security of their tokens, the Atlassian team recommended “reset their passwords, which will automatically log users out of all active and current sessions.”

Dark Reading

November 2022

Atlassian Status for Jira: 4 incidents
Atlassian status for Bitbucket: 4 incidents

Atlassian remediates its critical vulnerabilities (9 out of 10!)

After noticing critical security vulnerabilities that the Atlassian characterized as 9 out of 10 in severity rating, the cloud service provider released some updates to address those problems in its centralized identity management platform – Crowd Server and Data Center, as well as git-based code and CI/CD tool – Bitbucket Server and Data Center.

According to Atlassian, is the command injection flaw, tracked as CVE-2022-43781, which affects Bitbucket Server and Data Center, and could permit the attacker with permission to control their username to gain code execution on the target system. Another flaw, CVE-2022-43782, which affected Crowd Server and Data Center, was a misconfiguration that cloud give an attacker a possibility to bypass password checks during the authentication as the Crown app and to call privileged API endpoints.

Atlassian security advisory presented a step-by-step guidance for administrators to check if their products were compromised and what actions to take in that case.

Bleeping Computer

October

Atlassian Status for Jira: 1 incident
**Atlassian status for Bitbucket: **1 incident

Two vulnerabilities noticed in Atlassian Jira could let an attacker steal account credentials

In October Bishop Fox, a cybersecurity services firm issued an advisory about two vulnerabilities they noticed in Atlassian Jira Align which allowed a user, who had an access to the service to easily gain access as an application administrator and, consequently, make an attack on the Atlassian service.

Those two vulnerabilities were Server-Side Forgery (SSRF), tracked as CVE-2022-36802, and Insufficient Authorization Controls, tracked as CVE-2022-36802. The first one allowed the threat actor to get the AWS credentials to the Atlassian Jira service account and then access the Atlassian Cloud infrastructure as a user of Jira Align, The second one permitted those users who had People role permission to upgrade their and any user’s role up to Super Admin. With this role, a user gained control over any settings in the Jira Align tenant, allowing him to modify Jira connections or security settings, reset user accounts.

Dark Reading

September

Atlassian Status for Jira: 8 incidents
Atlassian status for Bitbucket: 4 incidents

Bitbucket suffers two outages in a month

In September Atlassian experienced two partial outages. The first one took place on September 8th and lasted for about an hour. As the Atlassian team posted later on Atlassian Status “we experienced requests timing for some of our customers for Atlassian Bitbucket. The issue has been resolved and the service is operating normally.”

The other outage happened later on September 25th and lasted much longer than the previous one – 7 hours and 33 minutes. According to Attlassian some customers “using Bitbucket Cloud were unable to access their repositories.” As it turned out this incident was triggered due to the storage vendor’s outage (that Atlassian uses at their data center) caused by a firmware upgrade. However, the Atlassian team detected the incident within 14 minutes, it took hours to resolve the problem.

Atlassian Status

August

Atlassian Status for Jira: 5 incidents
Atlassian status for Bitbucket: 2 incidents

Atlassian warns its Bitbucket Server and Data Center users about another RCE vulnerability (9.9/10)

There was another security advisory warning issued by the Atlassian, yet for Bitbucket Server and Data Center users. They tracked a vulnerability, aka CVE-2022-360804 – a security flaw, which received a CVSS severity score of 9.9 out of 10 and needed to be patched immediately. Using this critical vulnerability a threat actor could leverage to execute arbitrary code on vulnerable instances (according to Atlassian this vulnerable security flaw affected all Bitbucket and Data Center versions over 6.10.17, as well as from 7.0.0 to 8.3.0).

Here is the Atlassian advisory commented on the issue: “An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.” Thus, to solve the problem the Atlassian had nothing but applying the available security update or some other mitigations immediately. Remote code execution (RCE) is the most potent of all vulnerability types, enabling crooks to do extensive damage while bypassing security measures, so this motive should be considered here.

Bleeping Computer

July

Atlassian Status for Jira: 9 incidents
Atlassian Status for Bitbucket: 5 incidents

June

Atlassian Status for Jira: 3 incidents
Atlassian status for Bitbucket: 9 incidents

SSRF flaw tracked in Jira could lead to leaked sensitive credentials

Researchers from Assetnote tracked a server-side request forgery (SSRF), tracked as CVE-2022-26135, in Jira and Jira Service Management. This vulnerability permitted the attackers “to make requests to arbitrary URLs, with any HTTP method, header and body.”

Later Atlassian explained in its security advisory: “Depending on the environment the Jira instance is deployed in, the impact of this bug varies. For example, when deployed in AWS, it could leak sensitive credentials.” To solve the issue Atlassian suggested the users, who didn’t have their Jira site accessed via the atlassian.net domain, to update their Jira app, as they could be affected by the mentioned vulnerability.

The Daily Swig

May

Atlassian Status for Jira: 5 incidents
Atlassian status for Bitbucket: 5 incidents

April

Atlassian Status for Jira: **2 incidents
**Atlassian status for Bitbucket:
2 incidents

An all-time Jira outage affects 775 customers and lasts for almost two weeks

About 775 Jira customers couldn’t access their data for almost two weeks, from April 5th to April 18th. To make a long story short – the reason behind it was a maintenance script that accidentally wiped hundreds of customer sites due to communication issues between two Atlassian teams working on deactivating a legacy app. The team used the wrong execution mode and wrong list of IDs.

As a consequence, this human mistake led to catastrophic results for those who didn’t have a backup plan in place. Once analyzed the data, the Atlassian managed to gather during the incident’s investigation, Sri Viswanath, the Atlassian engineer, said “The result was an immediate deletion of 883 sites (representing 775 customers) between 07:38 UTC and 08:01 UTC on Tuesday, April 5th, 2022.”

Bleeping Computer I GitProtect.io blog

A detected vulnerability found in Jira could permit an attacker bypass authentication to customer’s account

Another incident that’s worth our attention is Atlassian’s announcement about the critical vulnerability which affected Jira.They noticed the security flaw, later identified as CVE-2022-0540, which was aimed at Seraph, the web authentication framework of Jira and Jira Service Management. Exploiting this vulnerability the threat actor could bypass authentication and authorization using specially crafted HTTP requests.

Atlassian issued a statement: “Although the vulnerability is in the core of Jira, it affects first and third-party apps that specify roles required at the WebWork1 action namespace level and do not specify it at an action level.”

In a nutshell: this security flaw can bypass the authentication and authorization requirements in WebWork actions where a vulnerable configuration is used, yet the threat actor can only do it if no other authentication or authorization checks are used.

Security Week

March

Atlassian Status for Jira: 5 incidents
Atlassian status for Bitbucket: 3 incidents

February

Atlassian Status for Jira: 1 incident
Atlassian status for Bitbucket: 4 incidents

January

Atlassian Status for Jira: 3 incidents
Atlassian status for Bitbucket: 3 incidents

What to do in 2023?

Atlassian outages, vulnerabilities – all of that tickled the nerves of Jira and Bitbucket users in 2022. We have counted 41 incidents in Bitbucket and 53 incidents in Jira mentioned in Atlassian Status. About 11 hours Atlassian Bitbucket users were out of the service or partially out, while Jira users experienced about a staggering 329 hours of outage.

Unfortunately, it is impossible to avoid situations like that. All we can do is to be ready to respond to the challenges of security by building a data protection strategy. It should include among others, security of credentials, secret scanning and backup.

Security of credentials

It is a well-known fact that credentials, passwords, and authentication tokens you should keep in a secure place. Password Managers are a good option that eliminates the keyloggers risks. Security experts advise to be creative when making up new passwords, create unique, abstract ones, use letters of both upper- and lower-cases, numbers, signs – everything that can make your passwords unique and non-repeated. And… don’t forget about changing your passwords at least every three months.

Two-factor authentication

Another important aspect of your credential protection is 2FA. When you have your 2FA turned on, nobody can access your account without your notice and approval from another source or piece of information. The most popular way is to approve the authentication with the mobile phone – both by SMS codes or applications. However, it’s worth considering a hardware key.

Secret scanning

When your team of developers collaborates on building the code, some sensitive information, like passwords, API keys, authentication tokens and other secrets can be accidentally added to your repositories. To protect your sensitive data use secret scanning which will track if any sensitive data can potentially be exposed and trigger notifications if the leaked secrets are detected within commits.

Backup

Outages happen due to many reasons: hacker attacks, hardware or software failures, human mistakes – the trigger of “historical” Atlassian outage in April. However, you can try to take proactive measures and backup your environment, which will permit you to reduce the impact of the downtime by running your backup copy and continuing your work without interruption. Those Jira users who had Jira backup in place, and ran it during the April Atlassian outage managed to continue their working process without financial or data losses.

Useful resources:

E-books

The DevOps Guide to Backup in CI/CD
Git Backup Guide

Cheat Sheet

Bitbucket Backup Cheat Sheet
Jira Backup Cheat Sheet

Blog posts

Jira Backup Best Practices
Bitbucket Backup Best Practices
Bitbucket Backup Strategies – Backup and Data Recovery for Bitbucket
Why backup Jira – Is there Any Risk of Data Loss?
PRO Security Tips for Jira Admins

Videos

GitProtect Academy

Top comments (0)