Key Information Vulnerability Description Vulnerability Name: Secure Login security advisory - Insecure default configuration Release Date: 2024-09-16 Severity: Medium Affected Versions: - Secure Login (2FA) - Jira <= 3.1.4.5 - Secure Login (2FA) - Confluence <= 3.1.4.5 - Secure Login (2FA) - Bitbucket <= 3.1.4.5 Fixed Version: To be announced Vulnerability Details 1. Unsecure default TOTP configuration - In the default configuration, the Time Window Size is set to 30. This means that the last 30 and the next 30 tokens are valid. With the default time step of 30 seconds, a token from 15 minutes ago can still be used. Combined with the inactive brute-force detection in the default configuration, this could enable brute-force attacks. - According to internal security advisory calculations, the CVSS score for this vulnerability is 3.1, indicating medium severity. 2. Unsecure default whitelist - In the default configuration, the URL endpoints and are allowed. By default, REST services rely only on username and password authentication. Allowing these endpoints ensures other systems can still communicate with your Atlassian instance, as there is no reliable way to include 2FA in machine-to-machine communication. - Customers must be aware that as long as these two endpoints are allowed, it is possible to access sensitive information via REST or by accessing attachments using only username and password. These endpoints are not protected by MFA in the default configuration. - According to internal security advisory calculations, the CVSS score for this vulnerability is 5.1, indicating medium severity. Solution Based on the CIS Critical Security Controls definition, insecure or suboptimal default configurations represent security vulnerabilities. We are currently evaluating possible remediation options. Either the next version of Secure Login will provide a customized, stricter default configuration, or we will completely remove the default configuration and leave it to customers to define their own. We will notify you via patch notes. Please note: We will not automatically adjust existing customer configurations. Actions Required Ensuring your configuration is secure is your responsibility as a customer. The application can only protect your system to the extent permitted by your configuration and the underlying system. Additionally, MFA is not a substitute for other security measures such as intrusion detection. Support If you have any questions or concerns regarding this advisory, please submit a support request via our service desk. Additional Information Publisher: Alexander Küken Last Updated: 2024-09-17 Reading Time: 3 minutes