"Atlassian Vulnerabilities Highlight Criticality of Cloud Services"
Two flaws in Atlassian Jira Align, an agile planning Software-as-a-Service (SaaS) tool, could allow service users to become application administrators and attack the Atlassian service. According to the cybersecurity services firm Bishop Fox, the vulnerabilities emphasize the risks posed to cloud services by relatively well-known, but often difficult-to-detect, flaws. Bishop Fox discovered the two vulnerabilities in the Jira Align application, which is used to set agile-development goals, track progress toward those goals, and create agile strategies. Since Atlassian provisioned every instance of Jira Align, an attacker could gain control of a portion of the company's cloud infrastructure, according to Bishop Fox. A Server-Side Request Forgery (SSRF) vulnerability could allow a user to obtain the AWS credentials of the Atlassian service account that provisioned the Jira Align instance. The second vulnerability in the authorization mechanism for users with the People role could allow those users to elevate their role to Super Admin, which gives them access to all Jira Align tenant settings, including resetting accounts and modifying settings. According to Jake Shafer, a security consultant with Bishop Fox who discovered the flaws, the combination of the two flaws could allow for a significant attack. Companies should be aware that the increasing reliance on cloud applications has made attacks on cloud services and workloads much more common. The Open Web Application Security Project (OWASP) ranks broken authentication and access-control issues as the top class of vulnerability. Furthermore, automated tools have a difficult time identifying authorization issues. SSRF is a relatively new class of vulnerability that uses cloud service functionality and servers to conduct attacks, frequently circumventing network edge security and some internal security measures. This article continues to discuss the two flaws in the popular developer cloud platform.
Dark Reading reports "Atlassian Vulnerabilities Highlight Criticality of Cloud Services"