The good thing about the fact that Atlassian offers both on-prem and cloud versions of their offerings is, everyone is now aware of the awful engineering practices that underpin their products. We have to assume that there are problems of a similar nature in their cloud service, which is <i>way</i> more of a problem considering the number of orgs that depend on the JIRA SaaS offering.<p>Maybe the founders could have used some of that time spent planning a tunnel between their side-by-side $100M houses, or engaged in Twitter rants, to actually bother delivering value to customers. It’s only a matter of time before this product suite is disrupted, and it might represent one of the most obvious low-hanging opportunities in our entire industry.<p>I still remember being in line at a WWDC a few years back, overhearing someone ask a developer, “where do you work?” When the developer responded with “HipChat,” the other person immediately chuckled and said, “oh — <i>Atlassian</i>... I’m sorry” — and then everyone around them also started laughing. It’s amazing that this company continues to fall up, and that the founders have taken on roles as the ruling digital gurus of Australia (shows you why it’s so easy for the government to run circles around the local tech industry and pass whatever laws they want).
Twitter link to a case of the vulnerability being exploited: <a href="https://twitter.com/th3_protoCOL/status/1433414685299142660" rel="nofollow">https://twitter.com/th3_protoCOL/status/1433414685299142660</a><p>NIST Link to issue: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-26084" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2021-26084</a><p>Tweet from USCYBERCOM urging users to patch: <a href="https://twitter.com/CNMF_CyberAlert/status/1433787671785185283" rel="nofollow">https://twitter.com/CNMF_CyberAlert/status/14337876717851852...</a><p>Tweet from BadPackets showing where the bad actors are originating from: <a href="https://twitter.com/bad_packets/status/1433157632370511873" rel="nofollow">https://twitter.com/bad_packets/status/1433157632370511873</a>
Atlassian was so kind to update their mailing lists somewhere over the last year or so. Previously, they would email the 'technical contact' of the license about any vulnerabilities. They quietly switched to some other notification system and never informed us about it. Hence we missed the update and got a free Bitcoin miner. Thanks Atlassian, I'll make sure to get your products out of the door as soon as possible.<p>[edit] Oh it's even better. Their site says 'Note: if you are a tech administrator, you will always receive these notifications.' but they never mailed us. Great job, Atlassian, great job.
> The vulnerability only affects on-premise servers, not those hosted in the cloud.<p>This is a dangerous statement to make and should be revised to say:<p>> The vulnerability only affects standalone versions of the software, not the managed service of confluence provided directly by Atlassian.<p>The problem with the former is that lesser technical people, especially directors, might assume they're fine because their standalone instances are hosted on GCP/AWS/Azure, which counts to them as "cloud".
A colleague who runs security at an ASX 200 company found crypto mining running within a day of the vulnerability being announced. They've since patched and cleaned up the hosts they run Data Centre on. Patch quickly, and check for the IoCs listed in Daniaal's tweet below.
Admittedly low-value comment: Can we appreciate the amazing vulnerability name? Confluenza.<p><a href="https://censys.io/blog/cve-2021-26084-confluenza/" rel="nofollow">https://censys.io/blog/cve-2021-26084-confluenza/</a>
> An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.<p>For god sake, can we all agree to stop using OGNL at this point? At my previous job I kept having to fix OGNL vulnerabilities on our stack, it was awful.<p>Don't remember Apple developer portal hack? OGNL<p>What about Equifax? OGNL<p>This thing is so freakingly insecure it's crazy.
My employer was bit by this on Wednesday. Thankfully we had Crowdstrike on it which blocked any real damage. But it definitely moved our cloud migration from “later this year” to “later this month”.<p>Also, not having confluence for a day exposed just how reliant we were on it for day-to-day activities.
I am not in the least bit shocked.<p>Atlassian products are some of the worst glued-together garbage in the industry. The entire product surface area is probably rife with exploits.<p>Using Confluence or Jira will show you just how much Atlassian cares about its own products.<p>I'd love for this to be the straw that breaks the camel's back and makes IT/infosec orgs move away from this bilge.
The linked proof-of-concept [1] demonstrates bypassing the OGNL blacklist by using this to do reflection:<p>> ""["class"].forName(...)<p>as opposed to:<p>> "".getClass().forName(...)<p>Does anyone know why this works in OGNL? It does not appear to be valid Java syntax.<p>[1] <a href="https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md" rel="nofollow">https://github.com/httpvoid/writeups/blob/main/Confluence-RC...</a><p>Edit: Oh apparently, it's just a feature of OGNL: <a href="https://commons.apache.org/proper/commons-ognl/language-guide.html" rel="nofollow">https://commons.apache.org/proper/commons-ognl/language-guid...</a>
I look up to Atlassian. Somehow they continue to easily sell even though so many hates it. I don't know what the secret sauce is... but I want it.
That's one of the selling point of Saas compared to hosted instance honestly. Some company think that having Confluence hosted internally is going to increase the security. But this is wrong. When you rely on a Saas provider. The provider has people who monitor the infrastructure constantly whereas when you hosted on your own server, the confluence instance is just one of the many services that they manage. And even if some company will be very reactive to events like this. The majority of companies will be much slower.<p>And in addition to that. When you use Saas. Security is a top priority, a Saas provider can't allow to have data of its customers leaked on the web. Whereas once again when it is internal data people will be less cautious
I spent years "working on" (battling) our own company-hosted Atlassian suite. I'm a software engineer / architect and was thrown admin powers to get a project up and running.<p>It was constant a battle of "the critical basic feature you need in this micro version is broken" and other critical functions being hidden in random places.<p>I applied to their engineering team citing my experience and ability to help with a lot of these things, but never even heard a response.<p>Current alternative software suites I've seen are beyond terrible or generally non-existent / missing major features. I'm sure there's some "pretty SaaS solutions" out there from a startup that charges exorbitant prices, but I don't believe their back end or security are going to be any better.
Atlassian has been producing remotely exploitable code for a decade now.<p><a href="https://www.cvedetails.com/product/8170/Atlassian-Jira.html?vendor_id=3578" rel="nofollow">https://www.cvedetails.com/product/8170/Atlassian-Jira.html?...</a><p>I would also say based on experience that if they tell you that an exploit can't be used against any of their other software that you shouldn't ever believe them.
Seems odd that the Priority is "Low" on the ticket<p><a href="https://jira.atlassian.com/browse/CONFSERVER-67940" rel="nofollow">https://jira.atlassian.com/browse/CONFSERVER-67940</a>