Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
resolution Apps: Arbitrary Servlet Filter Bypass (CVE-2022-26136)
This page collects information about how resolution's apps may be affected by Atlassian's vulnerabilities CVE-2022-26136 and CVE-2022-26137.
| Vulnerability | Atlassian Security Advisory | CVE Records |
|---|---|---|
| Multiple Servlet Filter Vulnerabilities | Multiple Products Security Advisory 2022-07-20 |
We don't have a lot of information about this vulnerability, since Atlassian hasn't disclosed any additional details to Marketplace Partners like us that haven't been shared with the general public.
However, based on our understanding of the description, the consequences listed below may arise if you do not update your instance. We have not been able to verify them yet and generally recommend that you update your instance as fast as possible regardless of this assessment to one of the Fixed Versions listed by Atlassian.
API Token Authentication
With this app, the authentication does happen in a Servlet Filter. However, no security breach should be caused: if the filter is skipped, API Tokens will just not work. If the filter is called in an unexpected context, it should work as expected so a valid token is still required.
- Basic auth block circumvention
If you have disabled Basic Authentication with regular passwords using our app, this block can probably be circumvented. - Rate Limit
Rate limiting for requests with API tokens enforced by our app may be circumvented. - Privilege escalation with API tokens
It might be possible to circumvent a request with a token that has been assigned the Read-Only scope. The request could allow Read-Write operations instead.
SAML SSO
- Force SSO URLs circumvention
Redirection to SSO on those pages can probably be circumvented, so the default page restrictions apply. If you use this as a security feature, be aware that these pages might no longer require SSO.
HTTP Header Auth and AWS ALB authentication
In HTTP Header Auth and AWS ALB authentication, the authentication does happen in a servlet filter. However, no security breach should be possible: if the filter is skipped, the authentication by HTTP-Headers will just not work. If the filter is called in an unexpected context, the expected HTTP Headers are still checked as they should.
Other applications
Our other apps' functionality can probably be disabled in those attacker requests, but this would only mean that this functionality no longer exists. This vulnerability seems to be problematic for apps that enforce security features by denying functionality via servlet filters. The only such features we are currently aware of are listed above.
Based on our understanding of Additional Servlet Filter Invocation (CVE-2022-26137), there should be no additional impact on your instance from our apps.