CVE-2021-26077
📋 TL;DR
This vulnerability allows attackers to bypass authentication in Atlassian Connect Spring Boot apps by sending context JWTs to lifecycle endpoints that should only accept server-to-server JWTs. This permits authenticated re-installation events, potentially compromising app integrity. Affected are applications using Atlassian Connect Spring Boot versions 1.1.0 through 2.1.2 and version 2.1.4.
💻 Affected Systems
- Atlassian Connect Spring Boot (ACSB)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could re-install malicious versions of Atlassian Connect apps, potentially gaining unauthorized access to Atlassian product data or executing arbitrary code within the app context.
Likely Case
Attackers could force re-installation of legitimate apps with modified configurations, leading to data exposure or privilege escalation within the Atlassian ecosystem.
If Mitigated
With proper network segmentation and monitoring, impact would be limited to the specific Atlassian Connect app instance, though app functionality could still be disrupted.
🎯 Exploit Status
Exploitation requires network access to the ACSB app and knowledge of JWT structure, but no special privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.3 or 2.1.5
Vendor Advisory: https://confluence.atlassian.com/pages/viewpage.action?pageId=1063555147
Restart Required: Yes
Instructions:
1. Update Atlassian Connect Spring Boot dependency to version 2.1.3 or 2.1.5 in your pom.xml or build.gradle. 2. Rebuild and redeploy your application. 3. Restart the application server.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to Atlassian Connect Spring Boot apps to only trusted Atlassian product IPs.
JWT Validation Enhancement
allImplement custom JWT validation to reject context JWTs on lifecycle endpoints.
🧯 If You Can't Patch
- Implement strict network access controls to limit which systems can communicate with ACSB lifecycle endpoints.
- Monitor application logs for unexpected re-installation events and implement alerting for suspicious JWT usage patterns.
🔍 How to Verify
Check if Vulnerable:
Check your project's dependency file (pom.xml or build.gradle) for Atlassian Connect Spring Boot version. If version is between 1.1.0-2.1.2 inclusive, or exactly 2.1.4, you are vulnerable.Check Version:
For Maven: mvn dependency:tree | grep atlassian-connect-spring-boot. For Gradle: gradle dependencies | grep atlassian-connect-spring-boot.Verify Fix Applied:
After updating, verify the dependency version shows 2.1.3 or 2.1.5 in your build configuration and that the application starts successfully.📡 Detection & Monitoring
Log Indicators:
- Unexpected JWT validation failures on lifecycle endpoints
- Multiple installation events from same source in short timeframe
- Context JWT usage on endpoints expecting server-to-server JWTs
Network Indicators:
- HTTP POST requests to /install, /uninstall, or /enabled endpoints with context JWTs
- Unusual source IPs accessing lifecycle endpoints
SIEM Query:
source="app_logs" AND (message="*installation*" OR message="*uninstall*") AND NOT source_ip IN [trusted_atlassian_ips]🔗 References
- https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072
- https://confluence.atlassian.com/pages/viewpage.action?pageId=1063555147
- https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072
- https://confluence.atlassian.com/pages/viewpage.action?pageId=1063555147
