Securing Atlassian & Jenkins Deployment

Bhushan Hinduja November 19, 2021 Uncategorized

Atlassian & Jenkins

Atlassian is a globally popular provider of software development and collaboration tools. Jenkins, an open source automation server has more than 200,000 deployments. Both are being actively attacked due to recently disclosed vulnerabilities CVE-2021-26084CVE-2021-39124 in Atlassian products, as they are used in conjunction at many organisations. These security issues pose a serious threat of snowballing into another supply chain attack in 2021(2022?).

Attacks on Atlassian

Check Point Research (CPR) discovered many flaws in Atlassian’s Jira which would allow the attacker to take over a user’s account just by a single click. These security flaws would allow an attacker to perform cross site scripting attacks, CSRF attacks or session fixation attacks. The attacker could gain access to user accounts and acquire confidential information. CPR also found out that once a Jira account was taken over, it was possible to take over the Bitbucket account as well. Atlassian’s Bitbucket which is used by millions was also under this threat. The attacker could have had access to an organisation's Bitbucket repository which would prove to be detrimental.

Attacks on Jenkins

Jenkins recently discovered a successful attack against its Atlassian Confluence service using CVE-2021-26084. Confluence integrates with Jenkins’ integrated identity system which also powers Jira, Artifactory, and numerous other services. They had to take their affected server offline and reset all the passwords.

Passwords at risk, are risk for Businesses

Patching for CVE-2021-26084CVE-2021-39124 should fix the problem, but it is assumed that due to mass exploitation many organisation’s passwords are being compromised. Patching the servers will solve half of the problem. The other half of the problem which will have a massive impact on the masses is resetting the credentials.

Post incident panic and downtime, cost & support needed to reset passwords can be avoided by going passwordless. This also helps in a big way to stop such vulnerabilities triggering supply chain attacks.

Making Atlassian & Jenkins Passwordless

PureAuth provides a passwordless way to authenticate which eliminates the risk of attacks when compared to an authentication method that uses passwords. The video below demonstrates passwordless authentication to Atlassian using PureAuth.

Share the post    
Previous Post
Everyone understands and acknowledges that passwords are evil and are the biggest risk for enterprises. We have also seen that augmenting passwords with different factors not only makes the authentication process complex and costly but also fails to provide any effective security. Clearly, enterprise must choose to #GoPasswordless. In this blog, we discuss how. Securing […]
The Incident Many Avenger fans would have felt frustrated when they were not able to view the latest Hawkeye series 4th episode when Disney+ was down due to an AWS outage. The outage also affected the competitor of Disney+ thats Netflix. Condesk, Tinder, Roku and many other services depended on AWS backbone were out last […]