Securing Atlassian & Jenkins Deployment
Bhushan Hinduja November 19, 2021 Uncategorized
Atlassian & Jenkins
Atlassian is a globally popular provider of software development and collaboration tools. Jenkins, an open source automation server has more than 200,000 deployments. Both are being actively attacked due to recently disclosed vulnerabilities CVE-2021-26084 & CVE-2021-39124 in Atlassian products, as they are used in conjunction at many organisations. These security issues pose a serious threat of snowballing into another supply chain attack in 2021(2022?).
Attacks on Atlassian
Check Point Research (CPR) discovered many flaws in Atlassian’s Jira which would allow the attacker to take over a user’s account just by a single click. These security flaws would allow an attacker to perform cross site scripting attacks, CSRF attacks or session fixation attacks. The attacker could gain access to user accounts and acquire confidential information. CPR also found out that once a Jira account was taken over, it was possible to take over the Bitbucket account as well. Atlassian’s Bitbucket which is used by millions was also under this threat. The attacker could have had access to an organisation's Bitbucket repository which would prove to be detrimental.
Attacks on Jenkins
Jenkins recently discovered a successful attack against its Atlassian Confluence service using CVE-2021-26084. Confluence integrates with Jenkins’ integrated identity system which also powers Jira, Artifactory, and numerous other services. They had to take their affected server offline and reset all the passwords.
Passwords at risk, are risk for Businesses
Patching for CVE-2021-26084 & CVE-2021-39124 should fix the problem, but it is assumed that due to mass exploitation many organisation’s passwords are being compromised. Patching the servers will solve half of the problem. The other half of the problem which will have a massive impact on the masses is resetting the credentials.
Post incident panic and downtime, cost & support needed to reset passwords can be avoided by going passwordless. This also helps in a big way to stop such vulnerabilities triggering supply chain attacks.
Making Atlassian & Jenkins Passwordless
PureAuth provides a passwordless way to authenticate which eliminates the risk of attacks when compared to an authentication method that uses passwords. The video below demonstrates passwordless authentication to Atlassian using PureAuth.