February 3, 2023


For computer aficionados

Atlassian Confluence vulnerability triggers IT security ire


Atlassian’s IT protection procedures drew heat from some of its consumers next the disclosure of a essential flaw in just one of its on-premises program products and solutions this thirty day period.

The 2nd actively exploited significant Atlassian Confluence vulnerability disclosed in considerably less than a yr set off discussions among IT practitioners about the company’s overall stance on IT protection and what numerous observers described as a concerning pattern of major vulnerabilities among the the vendor’s items.

The distant code execution flaw means attackers can use a bug in the fundamental open up supply Object-Graph Navigation Language (OGNL) to attain remote code execution accessibility to Atlassian Confluence Server and Facts Heart, the on-premises midmarket and organization editions of the firm’s wiki application. A patch for variations 7.14.17 and up was launched June 3, even though customers that run Confluence in a cluster will not be in a position to update to the mounted versions without the need of downtime, the organization said in a publish to its advisory webpage.

As of June 14, safety researchers documented as a lot of as 5,000 servers however open up to exploits of this vulnerability. A separate vital Atlassian Confluence vulnerability, stemming from an OGNL bug but unrelated to this month’s vulnerability, also arose in September 2021, and ranked amongst the most actively exploited bugs for the yr.

Atlassian’s Jira Details Center computer software has been the issue of numerous Typical Vulnerabilities and Exposures (CVE) advisories in excess of the past yr. A significant flaw in the Jira Seraph authentication framework was disclosed in July 2021 a further was disclosed this 7 days, a full-read Server Side Ask for Forgery (SSRF) vulnerability identified in a cell plugin for Jira Details Center and Server.

Rodney Nissen, Activision Blizzard Rodney Nissen

“The CVEs have been coming out often this yr,” wrote Rodney Nissen, senior Atlassian admin at video recreation organization Activision Blizzard, in a blog site put up this 7 days. “But I assume this is just the character of Atlassian staying as major as it is now. When you have a resource with a large adoption, it gets to be an eye-catching focus on for hackers. They know they will likely arrive across a Jira or Confluence instance in the wild, so acquiring methods to split in is effectively worth the work.”

Other IT pros took a less forgiving stance toward Atlassian’s over-all safety posture, with some expressing there is a pattern of crucial, actively exploited vulnerabilities that is lead to for worry.

“My clientele typically complain about the variety of significant bugs [in Atlassian Jira],” explained Luiz Quintela, an independent principal consultant at Raskere LLC, which advises significant company clientele on Agile venture administration. “In actuality, a handful of of them moved to Azure DevOps mainly because of that.”

Two buyers that manufactured the switch in 2020 have been Fortune 50 economic establishments that were being now Microsoft stores and could make do with a combination of tools accessible with Business office 365, this kind of as OneNote and Teams for collaboration and Azure DevOps for task management, Quintela stated. An additional, a defense contractor, evaluated VersionOne and Azure DevOps in advance of picking the latter in late 2021.

“It’s really really hard to confess this, but Microsoft obtained a lot extra responsive [to vulnerabilities] than they used to be, and I believe Atlassian, simply because they have a significantly larger sized sector share in items like Jira and Confluence … they have a tendency to be at the very least a minimal bit significantly less responsive,” Quintela mentioned. “I will not believe they treatment as significantly about safety as they ought to … some of these bugs must have been caught in testing.”

Atlassian Confluence cloud unaffected — or is it?

Atlassian claims in each of the latest CVE advisories that none of the CVEs impacts its cloud merchandise, although the firm will have to also experience the repercussions of its prolonged cloud outage in April as it appears to be like to press consumers absent from on-premises goods into the cloud.

Continue to, a single customer that took internally managed Atlassian Confluence devices offline in the wake of this month’s vulnerability reported ongoing vulnerabilities in on-premises items represent a compelling argument to assess Atlassian cloud products and services.

Cloud-based mostly software program will come with extra present day procedures and you benefit from other people’s layers of defense.
Mike WonderChief system officer, Catalogic Application Inc.

“Their cloud is updated much more normally,” explained Mike Wonder, chief technique officer at online backup corporation Catalogic Application Inc., in Woodcliff Lake, N.J. “Cloud-based application will come with far more fashionable methods and you advantage from other people’s levels of protection.”

Nissen, whose company takes advantage of principally on-premises Atlassian Information Heart products, was skeptical that these kinds of vulnerabilities basically will not exist in the cloud. He acknowledged, nevertheless, that Atlassian’s cloud crew may perhaps mitigate them a lot quicker.

“With Jira Cloud, Atlassian is a very first-social gathering maintainer of all those instances,” Nissen wrote in his submit. “This arrangement indicates they can quietly handle any difficulties uncovered in Jira Cloud powering the scenes.”

However, that isn’t going to make cloud inherently greater than on-premises products and solutions for stability in his watch, Nissen additional.

The codebase for Atlassian’s cloud items diverged from on-premises solutions years back, most substantially in breaking apart from monolithic apps into discrete microservices, stated Atlassian Main Rely on Officer Adrian Ludwig in an job interview this 7 days. This month’s Confluence vulnerability was current in the cloud model as perfectly, he explained, but was divided from other solutions below this microservices architecture, speedily patched and inaccessible by using the community world-wide-web.

For some IT stability sticklers, having said that, this isn’t really more than enough to say Atlassian cloud is unaffected by CVEs.

Nicolas Chaillan, security advisory board consultantNicolas Chaillan

Amid the most outspoken critics of Atlassian protection this month was former Air Power and Area Force Main Software package Officer Nicolas M. Chaillan, now an independent advisor and member of quite a few advisory boards for IT security startups. Chaillan blasted Atlassian’s protection practices in a LinkedIn post shortly immediately after the vulnerability was 1st disclosed June 2, saying they had been flawed for several years.

“I’ve missing depend of how quite a few critical CVEs Atlassian and their CVE-ridden suite have experienced in the final couple of years,” Chaillan wrote. “All Atlassian prospects, which include the government, really should cease employing Atlassian … merchandise instantly.”

The exact same goes for Atlassian cloud applications, Chaillan included in a remark on his post.

“Utilizing SaaS will not necessarily mean that goes absent,” he stated. “Worse, multi-tenancy can make it harder to secure.”

Other on-premises users have been comparatively unconcerned about this month’s vulnerability due to the fact their methods were being also not accessible from the community world-wide-web. One particular also praised Atlassian’s proactive interaction about the vulnerability, which it disclosed prior to a patch was readily available.

“Atlassian is one of the number of businesses speaking about an difficulty as before long as they can, as shortly as you can find some mitigation, and not ready for a patch to be released,” claimed Frederick Ros, head of electronic place of work providers at Amadeus, an IT providers and consulting enterprise in Madrid.

Previous DoD DevSecOps execs call out Atlassian on dependencies

The most important position of contention for Chaillan and other people who have labored on the Department of Defense (DoD) System One DevSecOps project is that Atlassian has not finished far more to repair vulnerabilities in the upstream open source libraries its commercial goods these types of as Confluence and Jira have as dependencies, or to shift away from those vulnerable libraries altogether.

As a final result, Atlassian Jira had a single of the worst possibility assessment scores of any application revealed as portion of the Platform A person Iron Lender repository of digitally signed container illustrations or photos at 18.2%, in accordance to Robert Slaughter, CEO of defense contractor Protection Unicorns. Slaughter was director of System 1 at the Air Pressure from January 2020 until eventually April 2021. By comparison, communication and collaboration software package from Mattermost, even though even now not at officially authorized standing on the Iron Bank as of June 14, had a 76.9% rating, according to Slaughter.

“With a superior security posture, Atlassian would have very likely never adopted all those vulnerabilities to start with [and] instead than make upstream contributions to resolve all those concerns or go off those people options, they maintain them,” Slaughter reported. System One’s threat evaluation score procedure stays in beta, but Slaughter identified as Atlassian’s rating “stunning.”

Atlassian is for absolutely sure one of the worst offenders that is utilised across DoD.
Robert SlaughterCEO, Defense Unicorns former director of DoD System Just one

“Atlassian is for guaranteed just one of the worst offenders that is employed across DoD,” Slaughter reported.

Atlassian officers disagree that the firm’s tactic to dependencies isn’t audio from a specialized security standpoint.

“The recent strategy that we use for our on-premises goods is that if we discover there is a bug inside of a dependency, we overview regardless of whether that bug is in code that is essentially applied inside of of our software,” reported Atlassian’s Ludwig. “If it really is in a system that we by no means invoke, the bug exists, we accept that the bug exists, but it really is not truly a vulnerability.”

Chaillan dismissed this in his article as “nonsense.”

Various officers from the Air Force and the DoD did not reply to online messages looking for comment about no matter whether Atlassian goods are still actively utilized on System One. Having said that Slaughter, Chaillan in his put up and a different engineer at Defense Unicorns common with Platform A person explained they are.

“They use them mainly because the tech stack is tied to it,” Slaughter stated, echoing Quintela’s view that Atlassian lacks robust levels of competition for Jira and Confluence. “It can be a main component of people’s workflow, tied to main units.”

Atlassian exec pledges renewed safety efforts

Although Ludwig mentioned that Atlassian’s technique to vulnerabilities stays technically seem from the company’s position of see, he acknowledged that it is a tricky one particular for a lot of IT execs to obviously recognize. The enterprise should action up endeavours to enhance its IT stability graphic in the market place, he explained, and is thinking of new ways to protection in get to more believe in among consumers.

“Acquiring people today be comfy with the approach and really feel like it matches their anticipations is really vital, and so even however I consider what we’ve been undertaking is technically proper, I do not feel it really is pragmatically appropriate,” Ludwig claimed. “Since we’re now investing time on describing what we are carrying out, and building people today be comfy, and it is most likely heading to be extra successful for us to just repair the challenge.”

Ludwig claimed his promotion final yr from chief data stability officer (CISO) to chief belief officer, a broader purpose that oversees the business of the CISO and incorporates governance and resiliency, is component of the firm’s attempts to assuage IT pros’ concerns about its safety. He failed to present entire aspects of the company’s options to modify its tactic to security but did say it will look at offering a program monthly bill of components that facts its products’ dependencies so that people can have an understanding of what they are a lot more obviously.

“We are producing improvements in purchase to make positive that we’re patching far more factors additional routinely,” he extra on the subject matter of vulnerable dependencies. “I really don’t think that which is likely to make a material enhancement in the top quality of our products, it possible will make it a material improvement in that [Platform One risk assessment] score.”

Substantial-profile cybersecurity breaches have mounted more than the last 3 decades, most significantly in the SolarWinds assault in late 2020 and the Log4j vulnerability in late 2021. As a result, Ludwig explained, Atlassian’s buyers, alongside with the rest of the tech business, have formulated additional awareness and grow to be a lot more deeply worried about stability, specially application source chain security.

“A few yrs in the past, a year back, six months ago, it would have been suitable to say, ‘We’ve performed an analysis and we feel this is not a vulnerability because it is not exploitable,'” he reported. “We see uniformly throughout our info heart prospects now a shift toward demanding a lot more, so we’re relocating in that direction.”

Beth Pariseau, senior information writer at TechTarget, is an award-successful veteran of IT journalism. She can be achieved at [email protected] or on Twitter @PariseauTT.