Security News

Atlassian is prompting its enterprise customers to patch a critical vulnerability in many versions of its Jira Data Center and Jira Service Management Data Center products. The vulnerability tracked as CVE-2020-36239 can give remote attackers arbitrary code execution abilities, due to a missing authentication flaw in Jira's implementation of Ehcache, an open-source component.

Researchers at cybersecurity firm Check Point discovered several vulnerabilities that could have been chained to take over Atlassian accounts or access a company's Bitbucket-hosted source code. The software development and collaboration tools made by Australia-based Atlassian are used by more than 150,000 organizations worldwide, which can make the company's products a tempting target for malicious actors.

Cybersecurity researchers on Wednesday disclosed critical flaws in the Atlassian project and software development platform that could be exploited to take over an account and control some of the apps connected through its single sign-on capability. "With just one click, an attacker could have used the flaws to get access to Atlassian's publish Jira system and get sensitive information, such as security issues on Atlassian cloud, Bitbucket and on premise products," Check Point Research said in an analysis shared with The Hacker News.

On Thursday, Check Point Research published a report outlining how an attacker could have exploited the bugs to access Atlassian's Jira: a proprietary bug-tracking and agile project management tool. CPR researchers said that with just one click, an attacker could have siphoned sensitive information out of Jira, such as "Security issues on Atlassian cloud, Bitbucket and on-premise products."

Split announced a new integration with Jira Software in support of Open DevOps, an open toolchain allowing software development teams to use Atlassian products with third-party tools as a seamless, all-in-one solution. The integration unites Split's feature flagging capabilities with Jira project planning, giving engineering and product teams greater visibility, enhancing coordination when tracking release progress, and enabling greater efficiencies from flag creation to rollout to code cleanup.

Volatile Cedar, an advanced hacker group believed to be connected to the Lebanese Hezbollah Cyber Unit, has been silently attacking companies around the world in espionage operations. Using common web shell utilities as the main hacking tool and rarely relying on other tools, which hindered attribution.

To help create a better experience for these users, Alpha Serve has developed WebAuthn add-ons to bring passwordless authentication to various Atlassian products. WebAuthn is part of the FIDO2 framework - various technologies that permit passwordless authentication among web browsers, servers, and authenticators.

As a result of this collaboration, Atlassian customers can now leverage the power of McAfee MVISON Cloud to apply their security policies to their use of Atlassian services. The need for solutions that are designed to secure the cloud are further validated within a recent McAfee report that found the average enterprise organization uses 1,400 different cloud services.

Inti De Ceukelaire of bug-bounty platform Intigriti claimed earlier this month hundreds of corporate service portals have been exposed to the internet, a 12 per cent increase since he scanned the internet for them last summer - an increase the COVID-19 crisis may have contributed to. As a proof of concept, De Ceukelaire targeted a set of corporate Atlassian service desk portals he found facing the internet.

Exposed private cert key may also be an issue for IBM Aspera Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz...