Security vulnerability in EasySSO HTTP Headers authenticator

Incident Report for TechTime Initiative Group

Resolved

All Customers with active EasySSO licenses have been informed. Atlassian has been informed. The documentation has been updated:

http://techtime.co.nz/display/TECHTIME/EasySSO+with+Headers
http://techtime.co.nz/display/TECHTIME/EasySSO+with+Headers+-+Configuration

Posted Oct 23, 2019 - 15:00 NZDT

Monitoring

This vulnerability exists in all versions of the app starting from 3.0.0.

The other four authenticators (NTLM, Kerberos, SAML and X.509) are not affected.
Unfortunately, there is no way for us to tell what specific authenticator customers like you are using, so we are informing everyone.

The possible attack is predicated on the ability of a malicious client to access Atlassian application (configured with EasySSO HTTP Header authentication) directly over the network via non-proxied access or through a proxy not configured securely. Though it was never envisioned that HTTP Headers authenticator will be deployed insecurely with the above access possible, we nevertheless accept this as a problem in our product.

We have scored the vulnerability as 8.1 (High) on CVSS base score.
Full CVSS 3.1 vector is: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C

If you or your security team has questions about the exact nature of the vulnerability - please get back in touch with us on support@techtime.co.nz

Please do confirm first that you are actually using HTTP Headers authenticator with EasySSO (as most of our clients do not).

Here's how you can check:

In the current EasySSO versions, this can be done in Administration/Manage Add-Ons/TechTime Add-ons/EasySSO/Headers
In the older EasySSO versions, the same screen is available in Administration/Manage Add-Ons/TechTime Add-Ons/EasySSO/Advanced/Advanced Filtering Configuration/Custom Authentication

If you see no rows configured, for any headers or attributes - you are NOT affected.

If you are using HTTP Headers authenticator - please update to the latest version of EasySSO.

If the version of the base app that you run is not listed as compatible - please get back to us and we will issue a hotfix compatible with the version of the base application that you need.

We have issued versions 4.2.9 and 3.1.8 with the fix

Server:
Jira:
https://marketplace.atlassian.com/apps/1212581/easy-sso-jira-kerberos-ntlm-saml/version-history#b4002009005
Confluence: https://marketplace.atlassian.com/apps/1212583/easy-sso-confluence-kerberos-ntlm-saml/version-history#b4002009005
Bitbucket: https://marketplace.atlassian.com/apps/1214247/easy-sso-bitbucket-kerberos-ntlm-saml/version-history#b4002009005
Bamboo: https://marketplace.atlassian.com/apps/1214240/easy-sso-bamboo-kerberos-ntlm/version-history#b300100800
Fisheye/Crucible: https://marketplace.atlassian.com/apps/1214200/easy-sso-fisheye-kerberos-ntlm/version-history#b300100710

Data Center:
Jira: https://marketplace.atlassian.com/apps/1212581/easy-sso-jira-kerberos-ntlm-saml/version-history#b4002009000
Confluence: https://marketplace.atlassian.com/apps/1212583/easy-sso-confluence-kerberos-ntlm-saml/version-history#b4002009000
Bitbucket: https://marketplace.atlassian.com/apps/1214247/easy-sso-bitbucket-kerberos-ntlm-saml/version-history#b4002009000

Posted Oct 14, 2019 - 16:30 NZDT

Identified

We have confirmed the issue and are working on the fix.

Posted Oct 01, 2019 - 20:15 NZDT

Investigating

We have been made aware of the potential security vulnerability in HTTP Headers authenticator included in EasySSO

Posted Sep 30, 2019 - 19:15 NZDT

This incident affected: TechTime Server Apps (EasySSO for Jira Server, EasySSO for Confluence Server, EasySSO for Bitbucket Server, EasySSO for Bamboo Server, EasySSO for Fisheye/Crucible Server) and TechTime Data Center Apps (EasySSO for Bitbucket Data Center, EasySSO for Jira Data Center, EasySSO for Confluence Data Center).