Jira Bug Exposes Organizations’ AWS Server Keys

Several organizations’ private server keys were exposed due to a bug found in the popular Atlassian development software program Jira. Cybercriminals can easily abuse older versions of Jira, which contain a proxy which is vulnerable to cross-site scripting (XSS) and server-side request forgery (SSRF) attacks. Information gathered in this manner can be used to access the Amazon Web Services (AWS) accounts of the organizations.

The open-source Atlassian OAuth plugin, an authentication protocol, is included in most Atlassian products, and makes use of servers connected both directly to the internet and via internal network access. The discovered vulnerability permits unverified HTTP GET requests to carry out actions such as resource access on internal networks and page spoofing. Cybercriminals can easily steal sensitive information or inflict more damage from within the network via an SSRF attack to extract AWS metadata. Via a spoofed page, credential keys can also be phished or used to publish malicious content from a trusted domain without being detected.

[Read: Combatting the #Throwhack Threat: Why legacy issues are still causing CISOs problems]

While this bug was patched in March 2017, many companies running on legacy or older versions of the affected systems have yet to update their software packages, and several groups notified by researchers of the vulnerabilities were not aware of the bug. Atlassian did not release a security advisory on its website; CVE-2017-9506 did not list the affected products separately and only referred to the OAuth component. The affected Atlassian Jira versions are:

  • All versions of Bamboo before 6.0.0.
  • All versions of Confluence before 6.1.3.
  • All versions of Jira before 7.3.5.
  • All versions of Bitbucket 4.14.4.
  • All versions of Crowd before 2.11.2.
  • All versions of Crucible & Fisheye before 4.3.2.

Among the organizations whose servers were exposed but which have since updated or closed their servers offline were the productivity software company Easy Metrics, the U.S. Department of Health and Human Services’ Agency for Healthcare Research and Quality, and the television and media company A&E Networks. Other companies who have already been notified but have not resolved the server vulnerabilities are kept unidentified. Clients who use third-party providers are advised to contact their administrators to block the proxy and upgrade their software versions.

[Read: CONFICKER/DOWNAD 9 years after: Examining its impact on legacy systems]

Trend Micro Deep Discovery provides detection, in-depth analysis, and proactive response to attacks using exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect similar threats even without any engine or pattern update.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.