In this week’s security digest, we’ll cover a critical Jira Security Advisory and other high-severity vulnerabilities in Java and Kubernetes’ ingress-nginx module.
JIRA Server and Data Center Authentication Bypass
According to a security advisory released by Atlassian on April 20, some previous versions of JIRA Server and Data Center are prone to an authentication bypass vulnerability. This vulnerability could let a remote, unauthenticated attacker to bypass authentication and authorization requirements in WebWork actions using an affected configuration. Atlassian rated this vulnerability as critical severity and it’s useful to note that only specific configurations cause the environment to be vulnerable.
You can read the advisory for more details on affected third-party and Atlassian applications. Since this is a critical vulnerability, Atlassian recommends their users to remediate the vulnerability by upgrading to a patched version of Jira.
Vulnerable versions include:
Atlassian Jira Server and Data Center versions before 8.13.18, between 8.14.0-8.20.6, and between 8.21.0-8.22.0
Atlassian Jira Service Management Server and Data Center versions before 4.13.18, between 4.14.0 – 4.20.6, and between 4.21.0 – 4.22.0
Fixed versions include 8.13.18, 8.20.6, and 8.22.0 and 4.13.18, 4.20.6, and 4.22.0.
Psychic Signatures in Java
Elliptic Curve Digital Signature Algorithm (ECDSA) is a Digital Signature Algorithm that uses the elliptic curve cryptography and it’s infamous for being difficult to properly implement.
CVE-2022-21449 is assigned to a vulnerability found in the way Java handles ECDSA signatures. The EC portion of the codebase was rewritten in Java version 15 and this rewrite introduced a bug where certain checks were not performed while verifying signatures.
If you’re using the ECDSA in your signed JSON Web Tokens (JWT) and other authentication messages, this bug could allow an attacker to forge SSL certificates and handshakes to authenticate themselves to the server. Oracle recommends their users to update their Java installations to the latest version to mitigate the vulnerability. All Java versions above 15 are affected and April 2022 Critical Patch Update released by Oracle mitigates the vulnerability.
According to the National Vulnerability Database, successful exploitation of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
In Java version 15, the elliptic curve cryptography code, initially written in C++, was rewritten in Java. This rewrite caused the authentication mechanisms utilizing ECDSA signatures to be vulnerable to authenticating forged messages.
OpenJDK Vulnerability Advisory for CVE-2022-21449 can be found here.
Credits: Neil Madden
Kubernetes Ingress-Nginx Vulnerability
Kubernetes offers users the ingress-nginx module as a load-balancer and reverse proxy.
CVE-2021-25746 is assigned to a vulnerability that allows a user that can create or update ingress objects to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.
A successful exploit by a malicious user could allow them access to every secret in the Kubernetes environment. This is a high-severity vulnerability that only affects Kubernetes users who use the ingress-nginx module (<1.2.0) in its default configuration. If you do not use the ingress-nginx controller, you are not affected, as per the security advisory. This vulnerability was mitigated by the 1.2.0 and v1.2.0-beta.0 version updates.
Per the advisory, if you are unable to roll out the fix, this vulnerability can also be mitigated by implementing an admission policy that restricts the metadata.annotations values to known safe values (see the newly added rules, or the suggested value for annotation-value-word-blocklist).