2021-07-29 Authentication Bypass: Network Attacker Can Login to Users’ Accounts when Usernames are Known

Updated Advisory 2021-08-12

The resolution team has released comprehensive security fixes for all SAML SSO plugins that address additional scenarios related to the vulnerability identified on July 27th.

Please update to the versions listed in this page even if you already updated to the prior fixes.

Summary

This advisory discloses a critical severity security vulnerability affecting our SAML Single Sign-On Plugin in all past versions.

Please upgrade your installations to fix this vulnerability.

Details

The security vulnerability has been made known to us via disclosure from a researcher. To our knowledge, this is currently not otherwise known or widely exploited.

Due to the severe nature of this vulnerability, we will not currently provide detailed information that may increase the risk of it being exploited. We will first allow a time window that customers should utilize to upgrade to the fixed versions.

For the vulnerability fixed on 2021-07-29, there is an imperfect way to detect whether this vulnerability was exploited on your instance. For information on how to do this, please contact us with your valid, non-evaluation app SEN via our Support Portal . For the additional fix released on 2021-08-12, there is unfortunately no easy way to detect if it was exploited.

What You Need to Do

In general, please update the SAML SSO app to the latest versions. For information about how to update your apps, please refer to Atlassian's documentation on the topic

If you cannot update the app, the only way to get rid of this vulnerability is to disable the app. Note that this will result in loss of Single Sign-On capability for all users on the effected system.

You might be able to mitigate the impact by restricting access to the product from the internet to only your known users using an internal VPN or a similarly private network. Note that this requires you to trust your users not to exploit this vulnerability.

The updated versions of the app make the fix available for all currently supported versions of the Atlassian host products (Jira, Confluence, Bitbucket, Bamboo, Fisheye/Crucible). If you require a fixed app version for unsupported Atlassian host products that do not work with one of the provided versions, please raise a support request via our Support Portal. 

If you need help with either of these courses of action, please raise a support request via our Support Portal. 

Support

If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.

Fixed App Versions by Host Product Versions

This table denotes which host product versions are compatible with which app versions (Atlassian Application → SAML SSO app version). 

• Jira

  • 7.0.4 - 7.9.2 → 2.0.14

  • 7.3.0 - 8.14.1 → 3.6.7

  • 7.13.0 - 8.17.0 → 4.0.13

  • 8.3.0 - 8.18.1 → 5.0.6

• Confluence

  • 5.10.0 - 6.8.5 → 2.0.14
  • 6.3.0 - 7.5.2 → 3.5.7

  • 6.8.0 - 7.8.3 → 3.6.7

  • 6.13.0 - 7.12.3 → 4.0.13

  • 7.0.1 - 7.12.3 → 5.0.6

• Bitbucket

  • 5.5.0 - 6.10.2 → 2.5.10

  • 5.12.4 - 7.15.0 → 3.6.7

  • 6.0.0 - 7.15.0 → 4.0.13

  • 6.4.0 - 7.15.0 → 5.0.6

• Bamboo

  • 5.12.0.2 - 6.10.6 → 2.5.10

  • 6.6.0 - 7.1.4 → 3.6.7

  • 6.8.0 - 7.2.5 → 4.0.13

  • 6.10.2 - 7.2.5 → 5.0.6

• Fisheye/Crucible

  • 4.2.0 - 4.8.7 → 2.5.10

For example, if you use Bamboo 6.6.0 with SAML SSO app version 2.5.5, you can update to 2.5.10 or 3.6.7