News

Atlassian vulnerability information accidentally published on Twitter

The SwiftOnSecurity Twitter page accidentally published information about a previously unknown vulnerability in an Atlassian product. This flaw that may be echoed in IBM’s Aspera software.

It is reported that in order for the Atlassian Companion application to edit files in the selected local application and save them in the Confluence Cloud service, a domain is permitted to the local server with a simple SSL- certificate for Confluence.

Confluence connects to its companion application through a browser using the domain https://atlassian-domain-for-localhost-connections-only.com.

Read also: Google released December patches for Android, which fixed dozens of vulnerabilities

The problem is that anyone with sufficient knowledge can copy the SSL key, use it to perform a “man in the middle” attack and redirect application traffic to a malicious site.

According to Google’s security engineer Tavis Ormandy, any application user can be targeted.

“You just can take the key, and nothing will stop you from providing rights on this domain to anything else besides localhost. Therefore, there is no guarantee that you are connecting to a trusted local and not a malicious service”, – Ormandy explained.

In the Twitter discussion, Tim Stone, a moderator for StackApps, observed that IBM’s Aspera plugin client uses a similar server scheme, local.connectme.us, for client-server communication.

Tavis Ormandy
Tavis Ormandy

“That has the potential to be even worse. There’s a pre-generated CA certificate and a private key, if they add that to the system store, they’re effectively disabling SSL. I would consider that *critical*”, — wrote Tim Stone.

Vulnerability received identifier CVE-2019-15006.

Work on the bugs:

SwiftOnSecurity notified Atlassian of the problem, and the manufacturer is currently working on fixing it.After the story was filed, an IBM spokesperson responded by noting that the tech giant issued a security bulletin for denial of service vulnerability affecting Aspera Connect 3.7 and 3.8 back in June.

“We left the local.connectme.us in for backward compatibility while customers continue to upgrade their environments”, – the spinner explained.

Also the certificate for local.connectme.us has been revoked.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published.

Sending

Back to top button