Security Experts:

Atlassian Fixes Critical Vulnerability in Several Products

Australia-based enterprise software provider Atlassian has released updates to address a serious vulnerability affecting several of the company’s solutions.

The issue, an Object-Graph Navigation Language (OGNL) double evaluation vulnerability, has been rated as critical, which indicates that it has a CVSS score ranging between 8.0 and 10.

“Attackers can use this vulnerability to execute Java code of their choice on systems that use this framework,” Atlassian explained in its advisory.

The company has pointed out that an attacker needs to be able to access the Web interface of the affected product in order to execute arbitrary code.

The vulnerability affects version 5.6 and earlier of the team collaboration solution Confluence, version 3.6.1 and earlier of revision-control browser and search engine FishEye, version 5.7 and earlier of the continuous integration server Bamboo, and version 3.6.1 and earlier of the collaborative code review tool Crucible.

Updates that address the security hole have been made available for each of these products. Users are advised to apply the patches as soon as possible.

Organizations that are unable to update their installations right away can protect themselves against potential attacks by limiting access to the server Web interface to trusted networks. They can also block certain types of requests (described in the advisories for each of the affected products) with a firewall or reverse proxy.

“As of September 2014, we no longer provide binary bug patches. Instead we create new maintenance releases for the major versions we backport to,” Atlassian noted.

However, since this policy is new and in transition, the company has provided patches for Confluence versions from 4.3.x and 5.4.x, and Bamboo versions from 5.1 to 5.7. The vulnerability does not affect Atlassian Cloud customers using Confluence and Bamboo.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.