Skip to main content

3 min read

Trojan Codes in Atlassian Products and ScriptRunner

Jamie Echlin
3 November 2021 Atlassian
Crossed-out Robot

Recently Atlassian has released new product versions tackling CVE-2021-42574. There is some confusion about this so we're going to attempt to throw some more light on it.

What's this about?

This relates to the fact that in unpatched Atlassian products, displayed code could be different from the code that is actually interpreted or executed, if special Unicode bidirectional characters are used inside the code block.

For clarity, there is not a general problem where entering malicious characters in any text input causes a problem.

A sample scenario

Let's talk through a scenario where this vulnerability gets exploited, in Bitbucket Server.

A pull request is received, containing code something like:

Code snippet

Analysing this code, you would say that the log.debug line would not execute, as it's inside an if (false) block.

However, sneaky control characters have been inserted which reverse some of the text when displayed in Bitbucket (and other code review tools and editors). When this code is executed, the if(isAdmin) part is actually inside the comment, because compilers do not treat these control characters in the same way.

So you may merge this, possibly giving the attacker a backdoor (or a front door) into your system.

How concerned about this should I be?

Obviously the risk factors vary according to circumstances, but if you accept code contributions from the wider internet you are more vulnerable to this, than if you only allow pull requests from authenticated or internal users, for instance.

Also bear in mind that attackers can always attempt to persuade you to merge bad code through obfuscating it, or introducing very subtle problems. See this example for a case in point.

Therefore, the less you trust the source of the code you are deploying, the more you should question, test and analyse it.

How was this fixed?

In the patched Bitbucket version similar code is displayed as:

Code snippet to illustrate bitbucket issues

You may not understand that these particular characters represent instructions to reverse the order of the text. You should only see these characters in contexts like displaying two different languages in the same string, where one is right-to-left (e.g. Arabic), and another is left-to-right (e.g. English). Any other time you see them should arouse suspicion.

If in doubt, ask.

How are Jira and Confluence vulnerable?

The vulnerability is rated as High severity for Jira and Confluence.

This is for situations where malicious code may be added to a Confluence page or Jira ticket, using the code macro. The victim then copies and pastes the code to their source tree, builds it and deploys to production.

It's important to note that copying and pasting will also copy the control characters. When you paste it, you will not see that the control characters are present if your editor does not support it. VSCode may not display them, whilst Intellij Idea and vim do.

Beyond this, there will likely be clues that something fishy is going on. For instance, the syntax highlighting does not tally with the actual code, and the cursor will jump about inside the text as you move through it.

Is ScriptRunner vulnerable?

Yes, in the same way that the Atlassian products are. In any ScriptRunner editor, the untrusted code will show as follows:

Illustration of faulty code.

We will fix it in the same way as Atlassian, which will arrive in upcoming release 6.39.0.

Illustration of code fix

We believe that copying code from an untrusted source is the main source of risk for ScriptRunner users.

The places you may be likely to copy ScriptRunner code from are:

Adaptavist Script Library: Examples here have all been reviewed by several developers at Adaptavist, and most have integration tests. To help further protect and reassure our customers, we are working on adding similar highlighting to the site.

Atlassian Community: This website is vulnerable to the problem since users can share code snippets in which hidden control chars are not shown. We are communicating with Atlassian about this.

Until you upgrade, in order to keep yourself secure, the situation is the same as for this whole class of exploit: if you do not fully trust the source of the code you are pasting, question it, test it, and paste it into an editor that shows the hidden characters!