SECURITY ADVISORY - please update to atlassian-connect-express 1.0.9

[James Hazelwood]

The following advisory was emailed two weeks ago to vendors of public add-ons using atlassian-connect-express. Please accept our apologies if this applies to you and you didn't get the email.

Dear Atlassian Connect vendor,

We've found a vulnerability in the atlassian-connect-express framework, affecting all add-ons based on this framework. It lets an attacker overwrite the shared secret for an existing installation by crafting a malicious install callback. This will break the add-on on the targeted host product. It will also enable the attacker to sign JSON Web Tokens (JWTs) with the new secret to authenticate with the add-on service and access protected data for that installation.

Fixing the vulnerability:

Please update to the latest version of atlassian-connect-express as soon as possible (the fix is in version 1.0.9). You can test that the update has worked using the attached python script (there are two versions, one for Python 2.7 and one for Python 3.5). The script attempts the shared secret overwrite against a specially-prepared test host, so will not affect your customers. To make sure you get the right result, please run the script once for the initial installation (and ignore the result), then run it a second time to test the re-install case.

We're really sorry for any risk or inconvenience caused. Thanks again for developing with Atlassian Connect, and please let us know if you have any questions.

Regards,

The Atlassian Connect Team