Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
2023-01-12 Response can be replayed with modified id when only the Assertion is signed
Summary | Response can be replayed with modified id when only the Assertion is signed |
---|---|
Advisory Release Date | 2023-01-12 |
Products | SAML Single Sign-On (SSO) for JIRA SAML Single Sign-On (SSO) for Confluence SAML Single Sign-On (SSO) Bitbucket |
Affected SAML SSO versions | All app versions prior to the fixed versions |
Fixed SAML SSO versions |
|
CVSS Score: Base Score / Temporal Score | AV:N / AC:H / PR:N / UI:R / S:U / C:L / I:L / A:N 4.0 |
Summary
This advisory discloses a medium severity security vulnerability affecting our SAML Single Sign-On Plugin in all past versions.
Please upgrade your installations to fix this vulnerability.
Details
If an attacker could eavesdrop the HTTPs-protected data exchanged between the user's browser and the Atlassian application to get hold of a valid SAML response from the IdP, he could replay this SAML response with a modified ID to login in place of the user mentioned in the contained assertion.
A potential attack would need to happen within the following circumstances:
- The attacker needs to get hold of a valid SAML Response from the Identiy Provider, e.g. with a man-in-the-middle attack to the HTTPs-connection transporting this response.
- The Response must be transported using the SAML POST-binding.
- The signature must cover the Assertion only, and not the whole Response.
- The Response must be replayed within the valid timeframe.
The fixed versions not only check the Response-IDs for uniqueness, but also the Assertion-IDs.
Example of a SAML Response that is potentially affected by this attack
The signature is part of the Assertion
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://jira.example.com/plugins/servlet/samlsso" ID="_36aeea1b-062b-48aa-b730-5a58231d30ef" InResponseTo="RESOLUTION_e7a9d70a-b4ba-4363-9436-21469f45a13b" IssueInstant="2022-12-21T14:38:27.240Z" Version="2.0">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://idp.example.com/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_af0a38dd-adc1-4c63-929b-f52852dba8d2" IssueInstant="2022-12-21T14:38:27.240Z" Version="2.0">
<Issuer>http://adfs3.lab.resolution.de/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...
</ds:Signature>
<Subject>
<NameID>gonzo</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="RESOLUTION_e7a9d70a-b4ba-4363-9436-21469f45a13b" NotOnOrAfter="2022-12-21T14:43:27.240Z" Recipient="https://jira.example.com/plugins/servlet/samlsso"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2022-12-21T14:38:27.239Z" NotOnOrAfter="2022-12-21T15:38:27.239Z">
<AudienceRestriction>
<Audience>https://jira.example.com/plugins/servlet/samlsso</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2022-12-21T14:36:00.331Z" SessionIndex="_af0a38dd-adc1-4c63-929b-f52852dba8d2">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
Example of a SAML response NOT affected by such an attack
The signature is part of the Response
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://jira.example.com/plugins/servlet/samlsso" ID="_d10291fb063e5962fe30a563ef200390" InResponseTo="RESOLUTION_a3700155-33f6-4e34-9768-935e2dad577f" IssueInstant="2022-12-21T15:08:59.753Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.com/jsd-jbr/</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
...
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4adc529dd77db93a101fa07230371792" IssueInstant="2022-12-21T15:08:59.753Z" Version="2.0">
<saml2:Issuer>https://idp.example.com/jsd-jbr/</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="RESOLUTION_a3700155-33f6-4e34-9768-935e2dad577f" NotBefore="2022-12-21T15:08:57.644Z" NotOnOrAfter="2022-12-21T16:08:57.644Z" Recipient="https://jira.example.com/plugins/servlet/samlsso"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2022-12-21T15:08:57.644Z" NotOnOrAfter="2022-12-21T16:08:57.644Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://jira.example.com/plugins/servlet/samlsso</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2022-12-21T15:08:59.753Z" SessionIndex="_7c3094c7f0a0725b3034c6d33189dc3a">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
What You Need to Do
In general, please update the SAML SSO app to the latest versions. For information about how to update your apps, please refer to Atlassian's documentation on the topic.
If you cannot update the app, we recommend to configure your Identity Provider to sign the Response. It depends on your IdP if and how this can be done.
If you are using ADFS, this PowerShell command enables signatures for both the Response and the Assertion:
Set-AdfsRelyingPartyTrust -targetname "<relyingPartyIdentifier>" -SamlResponseSignature MessageAndAssertion
The updated versions of the app make the fix available for all currently supported versions of the Atlassian host products (Jira, Confluence, Bitbucket, Bamboo, Fisheye/Crucible). If you require a fixed app version for unsupported versions of the Atlassian host products that do not work with one of the updated versions as per the list below, please raise a support request via our Support Portal.
If you need help with either of these courses of action, please raise a support request via our Support Portal.
Support
If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.
Fixed App Versions by Host Product Versions
This table denotes which host product versions are compatible with which app versions (Atlassian Application → SAML SSO app version).
Jira
- 7.0.4 - 7.9.2 → 2.0.15
7.3.0 - 8.14.1 → 3.6.8
7.13.0 - 8.17.0 → 4.0.15
8.3.0 - latest → 6.2.5 or 6.3.0
Confluence
- 5.10.0 - 6.8.5 → 2.0.15
- 6.3.0 - 7.5.2 → 3.5.8
6.8.0 - 7.8.3 → 3.6.8
6.13.0 - 7.12.3 → 4.0.15
6.13.10 - latest → 6.2.5 or 6.3.0
Bitbucket
5.5.0 - 6.10.2 → 2.5.11
- 5.6.0 - 6.10.2 → 3.5.0.3
5.12.4 - 7.15.0 → 3.6.8
6.0.0 - 7.15.0 → 4.0.15
6.4.0 - latest → 6.2.5 or 6.3.0
Bamboo
5.12.0.2 - 6.10.6 → 2.5.11
6.8.0 - 7.2.5 → 4.0.15
6.10.2 - latest → 6.2.5 or 6.3.0
Fisheye/Crucible
all → 2.5.11
For example, if you use Jira 6.6.0 with SAML SSO app version 2.0.14, you can update to 2.0.15 or 3.5.8.