Summary

Response can be replayed with modified id when only the Assertion is signed

Advisory Release Date

2023-01-12

Products

SAML Single Sign-On (SSO) for JIRA

SAML Single Sign-On (SSO) for Confluence

SAML Single Sign-On (SSO) Bitbucket

SAML Single Sign-On (SSO) for Bamboo

SAML Single Sign-On (SSO) for Fisheye

Affected SAML SSO versions

All app versions prior to the fixed versions

Fixed SAML SSO versions
  • 6.3.0 (Jira, Confluence, Bitbucket, Bamboo)
  • 6.2.5 (Jira, Confluence, Bitbucket, Bamboo)
  • 4.0.15 (Jira, Bitbucket, Bamboo)
  • 3.6.8 (Jira, Confluence, Bitbucket)
  • 3.5.8 (Confluence)
  • 3.5.0.3 (Bitbucket)
  • 2.5.11 (Bitbucket, Bamboo, Fisheye)
  • 2.0.15 (Jira, Confluence)
CVSS Score: Base Score / Temporal Score

AV:N / AC:H / PR:N / UI:R / S:U / C:L / I:L / A:N 4.0

Summary

This advisory discloses a medium severity security vulnerability affecting our SAML Single Sign-On Plugin in all past versions.

Please upgrade your installations to fix this vulnerability.

Details

If an attacker could eavesdrop the HTTPs-protected data exchanged between the user's browser and the Atlassian application to get hold of a valid SAML response from the IdP, he could replay this SAML response with a modified ID to login in place of the user mentioned in the contained assertion.

A potential attack would need to happen within the following circumstances:

  • The attacker needs to get hold of a valid SAML Response from the Identiy Provider, e.g. with a man-in-the-middle attack to the HTTPs-connection transporting this response.
  • The Response must be transported using the SAML POST-binding.
  • The signature must cover the Assertion only, and not the whole Response.
  • The Response must be replayed within the valid timeframe.

The fixed versions not only check the Response-IDs for uniqueness, but also the Assertion-IDs.

Example of a SAML Response that is potentially affected by this attack

The signature is part of the Assertion

 <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://jira.example.com/plugins/servlet/samlsso" ID="_36aeea1b-062b-48aa-b730-5a58231d30ef" InResponseTo="RESOLUTION_e7a9d70a-b4ba-4363-9436-21469f45a13b" IssueInstant="2022-12-21T14:38:27.240Z" Version="2.0">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://idp.example.com/adfs/services/trust</Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_af0a38dd-adc1-4c63-929b-f52852dba8d2" IssueInstant="2022-12-21T14:38:27.240Z" Version="2.0">
    <Issuer>http://adfs3.lab.resolution.de/adfs/services/trust</Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      ...
    </ds:Signature>
    <Subject>
      <NameID>gonzo</NameID>
      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData InResponseTo="RESOLUTION_e7a9d70a-b4ba-4363-9436-21469f45a13b" NotOnOrAfter="2022-12-21T14:43:27.240Z" Recipient="https://jira.example.com/plugins/servlet/samlsso"/>
      </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2022-12-21T14:38:27.239Z" NotOnOrAfter="2022-12-21T15:38:27.239Z">
      <AudienceRestriction>
        <Audience>https://jira.example.com/plugins/servlet/samlsso</Audience>
      </AudienceRestriction>
    </Conditions>
    <AuthnStatement AuthnInstant="2022-12-21T14:36:00.331Z" SessionIndex="_af0a38dd-adc1-4c63-929b-f52852dba8d2">
      <AuthnContext>
        <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
      </AuthnContext>
    </AuthnStatement>
  </Assertion>
</samlp:Response>
CODE

Example of a SAML response NOT affected by such an attack

The signature is part of the Response

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://jira.example.com/plugins/servlet/samlsso" ID="_d10291fb063e5962fe30a563ef200390" InResponseTo="RESOLUTION_a3700155-33f6-4e34-9768-935e2dad577f" IssueInstant="2022-12-21T15:08:59.753Z" Version="2.0">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.com/jsd-jbr/</saml2:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    ...
  </ds:Signature>
  <saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </saml2p:Status>
  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4adc529dd77db93a101fa07230371792" IssueInstant="2022-12-21T15:08:59.753Z" Version="2.0">
    <saml2:Issuer>https://idp.example.com/jsd-jbr/</saml2:Issuer>
    <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData InResponseTo="RESOLUTION_a3700155-33f6-4e34-9768-935e2dad577f" NotBefore="2022-12-21T15:08:57.644Z" NotOnOrAfter="2022-12-21T16:08:57.644Z" Recipient="https://jira.example.com/plugins/servlet/samlsso"/>
      </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2022-12-21T15:08:57.644Z" NotOnOrAfter="2022-12-21T16:08:57.644Z">
      <saml2:AudienceRestriction>
        <saml2:Audience>https://jira.example.com/plugins/servlet/samlsso</saml2:Audience>
      </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2022-12-21T15:08:59.753Z" SessionIndex="_7c3094c7f0a0725b3034c6d33189dc3a">
      <saml2:AuthnContext>
        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
    </saml2:AuthnStatement>
  </saml2:Assertion>
</saml2p:Response>
CODE


What You Need to Do

In general, please update the SAML SSO app to the latest versions. For information about how to update your apps, please refer to Atlassian's documentation on the topic.

If you cannot update the app, we recommend to configure your Identity Provider to sign the Response. It depends on your IdP if and how this can be done.

If you are using ADFS, this PowerShell command enables signatures for both the Response and the Assertion:

Set-AdfsRelyingPartyTrust -targetname "<relyingPartyIdentifier>" -SamlResponseSignature MessageAndAssertion
CODE


The updated versions of the app make the fix available for all currently supported versions of the Atlassian host products (Jira, Confluence, Bitbucket, Bamboo, Fisheye/Crucible). If you require a fixed app version for unsupported versions of the Atlassian host products that do not work with one of the updated versions as per the list below, please raise a support request via our Support Portal

If you need help with either of these courses of action, please raise a support request via our Support Portal

Support

If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.

Fixed App Versions by Host Product Versions

This table denotes which host product versions are compatible with which app versions (Atlassian Application → SAML SSO app version). 

  • Jira

    • 7.0.4 - 7.9.2 → 2.0.15

    • 7.3.0 - 8.14.1 → 3.6.8

    • 7.13.0 - 8.17.0 → 4.0.15

    • 8.3.0 - latest → 6.2.5 or 6.3.0

  • Confluence

    • 5.10.0 - 6.8.5 → 2.0.15
    • 6.3.0 - 7.5.2 → 3.5.8

    • 6.8.0 - 7.8.3 → 3.6.8

    • 6.13.0 - 7.12.3 → 4.0.15

    • 6.13.10 - latest → 6.2.5 or 6.3.0

  • Bitbucket

    • 5.5.0 - 6.10.2 → 2.5.11

    • 5.6.0 - 6.10.2 → 3.5.0.3

    • 5.12.4 - 7.15.0 → 3.6.8

    • 6.0.0 - 7.15.0 → 4.0.15

    • 6.4.0 - latest → 6.2.5 or 6.3.0

  • Bamboo

    • 5.12.0.2 - 6.10.6 → 2.5.11

    • 6.8.0 - 7.2.5 → 4.0.15

    • 6.10.2 - latest → 6.2.5 or 6.3.0

  • Fisheye/Crucible

    • all → 2.5.11

For example, if you use Jira 6.6.0 with SAML SSO app version 2.0.14, you can update to 2.0.15 or 3.5.8.