The good thing about the fact that Atlassian offers both on-prem and cloud versions of their offerings is, everyone is now aware of the awful engineering practices that underpin their products. We have to assume that there are problems of a similar nature in their cloud service, which is way more of a problem considering the number of orgs that depend on the JIRA SaaS offering.
Maybe the founders could have used some of that time spent planning a tunnel between their side-by-side $100M houses, or engaged in Twitter rants, to actually bother delivering value to customers. It’s only a matter of time before this product suite is disrupted, and it might represent one of the most obvious low-hanging opportunities in our entire industry.
I still remember being in line at a WWDC a few years back, overhearing someone ask a developer, “where do you work?” When the developer responded with “HipChat,” the other person immediately chuckled and said, “oh — Atlassian... I’m sorry” — and then everyone around them also started laughing. It’s amazing that this company continues to fall up, and that the founders have taken on roles as the ruling digital gurus of Australia (shows you why it’s so easy for the government to run circles around the local tech industry and pass whatever laws they want).
> The good thing about the fact that Atlassian offers both on-prem and cloud versions of their offerings is, everyone is now aware of the awful engineering practices that underpin their products.
Regardless of what one thinks about Atlassian, this is a completely ridiculous bullshit statement, and anyone who works in the world of business software knows it.
I don't think there is a company out there that hasn't had critical CVEs, nor most major open source projects, either.
Microsoft had a recent vulnerability in their Azure Cosmos DB product that left thousands of customers' data unprotected. Google has released multiple patches to Chrome in the past month.
If you demand you'll only use products from companies or open source projects that have never had a major CVE, you'll be writing a lot of your own software that probably has even worse security.
There are many jira alternatives out there, from what I can tell. Why are they not disrupted already, if it’s such a low hanging fruit? (Honest question - I don’t have any personal preference)
A far stretch to conclude that this event can equate to awful engineering.
The rest of this your comment reads like you continue to be naive to Atlassian’s success. I have to think many people do find unique value in their products (myself included), some people don’t laugh rudely when they hear what folks are working on, and I think that shows in the overall achievements of the Atlassian team and product.
I’ve witnessed first hand truly fantastic organizational changes after adopting Jira, Confluence, etc., and I wouldn’t continue to write them off so easily.
>overhearing someone ask a developer, “where do you work?” When the developer responded with “HipChat,” the other person immediately chuckled and said, “oh — Atlassian... I’m sorry” — and then everyone around them also started laughing.
> It’s amazing that this company continues to fall up.
There are still not any knowledge base tools that can keep up with Confluence. For Jira the competition is slowly catching up but there are still a large gap for big organizations. That's why they are still here, their product is still superior to the competition.
Atlassian get a lot of criticism, that's not always justified
If you are serious about the tunnel between the houses can you provide any info or a link for my bubble folder? I’d love to read about that. Googling was not fruitful.
>It’s only a matter of time before this product suite is disrupted, and it might represent one of the most obvious low-hanging opportunities in our entire industry.
That might be the most disconnected-from-reality statement in this entire discussion.
Whatever you think about the quality of Atlassian's products, they are ridiculously entrenched and about as easy to "disrupt" as Microsoft Windows.
On the other hand, cloud-hosted services can have a CVE patched for all users within a matter of hours (or less). Consider the alternative of frantically trying to get in contact with thousands (or tens of thousands) of companies running your on-prem version and urging each one to install your patch.
> It’s amazing that this company continues to fall up, and that the founders have taken on roles as the ruling digital gurus of Australia
It's probably because they primarily target non technical folks. Our IT department has inherited numerous Atlassian products adopted by business units and it takes at least a year or two to unwind them if ever.
In the meantime the just keep cashing those checks.
Nit: I wouldn't say "originating". That's where this specific exploit is coming from "most recently". But it would seem to not be script kiddies and they're listing like 8 countries. I would assume the bad actors could be anywhere, proxying traffic through any number of other places.
Atlassian was so kind to update their mailing lists somewhere over the last year or so. Previously, they would email the 'technical contact' of the license about any vulnerabilities. They quietly switched to some other notification system and never informed us about it. Hence we missed the update and got a free Bitcoin miner. Thanks Atlassian, I'll make sure to get your products out of the door as soon as possible.
[edit] Oh it's even better. Their site says 'Note: if you are a tech administrator, you will always receive these notifications.' but they never mailed us. Great job, Atlassian, great job.
Another issue is that they sent out the initial communication on August 25th (which I did receive), but the original wording indicated that it only affected servers that allowed user self-registration. We didn’t have that enabled, so I held off for a bit because the risk seemed lower and our upgrade process is a bit arduous (we have quite a few customizations on the server and need to perform all upgrades on a test instance and validate first) and our instance requires authentication through a load balancer before it’s even accessible.
Then, Atlassian updated the ticket a day later to state the issue affected all servers on the affected versions regardless of user authentication or registration but didn’t send out a follow up communication when they did so. Instead they waited until Friday afternoon before a US holiday weekend to send out another update. So if you weren’t watching the source ticket directly and thought you could wait due to the setting distinction you wouldn’t have known for over a week and you were left vulnerable.
Atlassian should have sent out another communication to all customers as soon as they knew the scope was broader than they had initially thought.
> The vulnerability only affects on-premise servers, not those hosted in the cloud.
This is a dangerous statement to make and should be revised to say:
> The vulnerability only affects standalone versions of the software, not the managed service of confluence provided directly by Atlassian.
The problem with the former is that lesser technical people, especially directors, might assume they're fine because their standalone instances are hosted on GCP/AWS/Azure, which counts to them as "cloud".
Reserving 1% because I'd strike "lesser technical" from your final sentence. The misleading quote is simply not correct. It is misleading because it's not true. It says Confluence hosted in the cloud is not vulnerable. False statement that can mislead anyone regardless of how technical they are.
Why do people say "on-premise" instead of "on-premises"?
Here follows the definitions I am familiar with:
"premise" - a house or building, together with its land and outbuildings, occupied by a business or considered in an official context.
"premise" - a previous statement or proposition from which another is inferred or follows as a conclusion.
(I have the privilege of worrying about this because my company uses Confluence Cloud. It's vastly inferior to our old aelf-hosted mediawiki, but at least it's not an open barn door.)
It is awful, the worst "search engine" which exists. I absolutely hate it and this is the only thing which wants to make me move away from Confluence. When you need it the most, and this happens often, you know that you definitely cannot rely on it. Any data you put in there is lost, unless you have a good hierarchy and know what to find where without relying on the search.
A colleague who runs security at an ASX 200 company found crypto mining running within a day of the vulnerability being announced. They've since patched and cleaned up the hosts they run Data Centre on. Patch quickly, and check for the IoCs listed in Daniaal's tweet below.
> An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.
For god sake, can we all agree to stop using OGNL at this point? At my previous job I kept having to fix OGNL vulnerabilities on our stack, it was awful.
My employer was bit by this on Wednesday. Thankfully we had Crowdstrike on it which blocked any real damage. But it definitely moved our cloud migration from “later this year” to “later this month”.
Also, not having confluence for a day exposed just how reliant we were on it for day-to-day activities.
I have no idea why you're being downvoted - this is true.
Atlassian produce some of the worst tech on the planet. Trying to administer this crap is horrible.
And don't get me started on how many project managers spend all day staring at Jira tickets instead of actually talking to their teams. Management-by-Jira is a disease, a symptom of bad organisational culture.
Bitbucket recently has shockingly poor reliability. Quite often you see nothing on the status page but see other people having issues on twitter. We've nearly migrated everything to github, plus github has better features and more powerful.
Then I tried a bunch of their competitors. Still stuck with some of them.
Sadly, some of Atlassian's products - namely Confluence and Jira - are the best in the business.
Those complaining below about PMs staring at JIRA all day... well, this is a problem with PMs, not JIRA, and it happens even if they are using other work management tools. We created a middleman position in our business to deal with the stuff we didn't want to - tracking work, getting requirements, etc - and we must reap what we've sown. They become obsessed with the management stuff because that's why they exist, and they will fill their time to justify their existence.
So why are they so popular? Because Jira is a wet dream for mediocre micro-managers (of all levels), allowing them to manage by ticket, instead of lead by example.
Never used it, but a quick perusal of its Wikipedia article mentions that it was a rewrite of something else using ANTLR, which implies a separate syntax.
This is the power of meeting the "needs" of business side suits who don't know how to use git or a real editor. So many times I've gotten pushback about writing docs in git instead of in confluence because "what about the non-technical people, what if they need to edit something?". So the lesson learned is that if you can use your proprietary vendor lock in to trap a bunch of C-levels via stockholm syndrome you can just keep failing up no matter how shitty the actual tech on your product is.
And look at the stock. If someone told me it would ever reach $180, would have been shocked. It’s now $384. And it’s outperforming the expectations all the time.
All the people who claim it is awful software, they ignore how many people love the Atlassian suite.
That's one of the selling point of Saas compared to hosted instance honestly. Some company think that having Confluence hosted internally is going to increase the security. But this is wrong. When you rely on a Saas provider. The provider has people who monitor the infrastructure constantly whereas when you hosted on your own server, the confluence instance is just one of the many services that they manage. And even if some company will be very reactive to events like this. The majority of companies will be much slower.
And in addition to that. When you use Saas. Security is a top priority, a Saas provider can't allow to have data of its customers leaked on the web. Whereas once again when it is internal data people will be less cautious
This isn't always true. Using a SaaS is outsourcing these concerns, and sometimes you're outsourcing them to someone who will do better than you would and sometimes worse. I've worked on a couple of SaaS where security was absolutely not top priority. Especially in Silicon Valley, organizations often value growth over sound processes, fully staffed security teams, and managing tech debt. Many a SaaS has leaked customer data and survived, so many think they CAN allow that risk.
It's the selling point of self hosting. My jira is behind x509 client certs, others I know are behind oidc connections. You need to be an authenticated user to even load the page. There's two layers of protection from two different companies.
I spent years "working on" (battling) our own company-hosted Atlassian suite. I'm a software engineer / architect and was thrown admin powers to get a project up and running.
It was constant a battle of "the critical basic feature you need in this micro version is broken" and other critical functions being hidden in random places.
I applied to their engineering team citing my experience and ability to help with a lot of these things, but never even heard a response.
Current alternative software suites I've seen are beyond terrible or generally non-existent / missing major features. I'm sure there's some "pretty SaaS solutions" out there from a startup that charges exorbitant prices, but I don't believe their back end or security are going to be any better.
So that users can be at home or on a mobile device without requiring them to have VPN.
But so that you still can ensure data-locality or run a customised instance e.t.c. if you have requirements around that. Plus licensing is approx. 40% of the full SaaS cost at scale so may be cheaper to deploy that way.
Confluence is often where the long-term docs for product/design oriented team members end up living, or at least being linked.
The easy two-way connection between Jira and confluence uses syntax any social media user will be familiar with, so non-techies can link the 'what' with the 'why' in a task before engineers even see them in a grooming session.
Anything that moves documentation and ticket preparation effort away from engineers/tech leads/team leads has a significant hidden saving.
Because most free wiki software is kind of bland and terrible. Don't get me wrong, they are amazing for what they are but they don't scream "professional".
But actually that's not the key point. Nobody buys just Confluence. That would be silly. A bland and terrible (but free) wiki software is definitely better than Confluence.
People buy JIRA. And then you've bought into the Atlassian ecosystem, and you want the nice tight integration with your wiki software
I would also say based on experience that if they tell you that an exploit can't be used against any of their other software that you shouldn't ever believe them.
FYI: Shodan also does monthly hostname-based scans of the Internet where we set the "Host"/ SNI headers. We use our own DNS DB to grab a list of hostnames/ IPs to launch scans of:
At the very basic, almost any attack can be monetized through resources (crypto mining, DDoS-as-a-service, selling access to the machines to other criminals) or extortion (ransomware, threatening to expose data), at scale and without the attackers really having to care too much what they hit.
If they devote more time per target, they can also go after specific data, e.g. for espionage or insider trading.
One compromised server can also serve as a foothold ("oh, you have a service account with all permissions on that server? nice!") which then allows all of the above to be launched against a bigger part of the infrastructure.
Arbitrary code execution in an on-premise server? You can basically stage an attack on any other internal resources (core infrastructure, databases, endpoints) that are visible from there, with the benefit of already being behind at least one layer of firewall/security.
numair|4 years ago
Maybe the founders could have used some of that time spent planning a tunnel between their side-by-side $100M houses, or engaged in Twitter rants, to actually bother delivering value to customers. It’s only a matter of time before this product suite is disrupted, and it might represent one of the most obvious low-hanging opportunities in our entire industry.
I still remember being in line at a WWDC a few years back, overhearing someone ask a developer, “where do you work?” When the developer responded with “HipChat,” the other person immediately chuckled and said, “oh — Atlassian... I’m sorry” — and then everyone around them also started laughing. It’s amazing that this company continues to fall up, and that the founders have taken on roles as the ruling digital gurus of Australia (shows you why it’s so easy for the government to run circles around the local tech industry and pass whatever laws they want).
hn_throwaway_99|4 years ago
Regardless of what one thinks about Atlassian, this is a completely ridiculous bullshit statement, and anyone who works in the world of business software knows it.
I don't think there is a company out there that hasn't had critical CVEs, nor most major open source projects, either.
Microsoft had a recent vulnerability in their Azure Cosmos DB product that left thousands of customers' data unprotected. Google has released multiple patches to Chrome in the past month.
If you demand you'll only use products from companies or open source projects that have never had a major CVE, you'll be writing a lot of your own software that probably has even worse security.
Waterluvian|4 years ago
Well that and spending any amount of time using it and feeling the crustiness.
pletnes|4 years ago
r0m4n0|4 years ago
The rest of this your comment reads like you continue to be naive to Atlassian’s success. I have to think many people do find unique value in their products (myself included), some people don’t laugh rudely when they hear what folks are working on, and I think that shows in the overall achievements of the Atlassian team and product.
I’ve witnessed first hand truly fantastic organizational changes after adopting Jira, Confluence, etc., and I wouldn’t continue to write them off so easily.
astura|4 years ago
Wow, This is incredibly mean.
polote|4 years ago
There are still not any knowledge base tools that can keep up with Confluence. For Jira the competition is slowly catching up but there are still a large gap for big organizations. That's why they are still here, their product is still superior to the competition.
Atlassian get a lot of criticism, that's not always justified
JohnJamesRambo|4 years ago
brazzy|4 years ago
That might be the most disconnected-from-reality statement in this entire discussion.
Whatever you think about the quality of Atlassian's products, they are ridiculously entrenched and about as easy to "disrupt" as Microsoft Windows.
BHSPitMonkey|4 years ago
Aeolun|4 years ago
They just sell their feature list to CEO’s and Product Manager/Scrum Lords, and suddenly Atlassian is an absolute requirement.
swiley|4 years ago
This was already obvious to anyone actually using their products.
cptskippy|4 years ago
It's probably because they primarily target non technical folks. Our IT department has inherited numerous Atlassian products adopted by business units and it takes at least a year or two to unwind them if ever.
In the meantime the just keep cashing those checks.
ConcernedCoder|4 years ago
j45|4 years ago
heytherewhat|4 years ago
And what are these practices?
> assume that there are problems of a similar nature in their cloud service
?
> then everyone around them also started laughing
You know, I'm sure that highly paid dev felt just fine.
daniaal|4 years ago
NIST Link to issue: https://nvd.nist.gov/vuln/detail/CVE-2021-26084
Tweet from USCYBERCOM urging users to patch: https://twitter.com/CNMF_CyberAlert/status/14337876717851852...
Tweet from BadPackets showing where the bad actors are originating from: https://twitter.com/bad_packets/status/1433157632370511873
macksd|4 years ago
SV_BubbleTime|4 years ago
But on the “attacks coming from”, I’ve never understood putting stock in these. Aren’t these all going to be proxies and botnets?
miken123|4 years ago
[edit] Oh it's even better. Their site says 'Note: if you are a tech administrator, you will always receive these notifications.' but they never mailed us. Great job, Atlassian, great job.
thatsamonad|4 years ago
Then, Atlassian updated the ticket a day later to state the issue affected all servers on the affected versions regardless of user authentication or registration but didn’t send out a follow up communication when they did so. Instead they waited until Friday afternoon before a US holiday weekend to send out another update. So if you weren’t watching the source ticket directly and thought you could wait due to the setting distinction you wouldn’t have known for over a week and you were left vulnerable.
Atlassian should have sent out another communication to all customers as soon as they knew the scope was broader than they had initially thought.
unknown|4 years ago
[deleted]
angry_octet|4 years ago
johnx123-up|4 years ago
tootie|4 years ago
wibagusto|4 years ago
dijit|4 years ago
This is a dangerous statement to make and should be revised to say:
> The vulnerability only affects standalone versions of the software, not the managed service of confluence provided directly by Atlassian.
The problem with the former is that lesser technical people, especially directors, might assume they're fine because their standalone instances are hosted on GCP/AWS/Azure, which counts to them as "cloud".
Lndlrd|4 years ago
Reserving 1% because I'd strike "lesser technical" from your final sentence. The misleading quote is simply not correct. It is misleading because it's not true. It says Confluence hosted in the cloud is not vulnerable. False statement that can mislead anyone regardless of how technical they are.
Y_Y|4 years ago
Here follows the definitions I am familiar with:
"premise" - a house or building, together with its land and outbuildings, occupied by a business or considered in an official context.
"premise" - a previous statement or proposition from which another is inferred or follows as a conclusion.
(I have the privilege of worrying about this because my company uses Confluence Cloud. It's vastly inferior to our old aelf-hosted mediawiki, but at least it's not an open barn door.)
tootie|4 years ago
We got hit by this and had to shut down and upgrade. Atlassian are taking a while to send new license keys.
rbanffy|4 years ago
qwertox|4 years ago
kilobaud|4 years ago
LilBytes|4 years ago
bhauer|4 years ago
https://censys.io/blog/cve-2021-26084-confluenza/
unknown|4 years ago
[deleted]
atatatat|4 years ago
beebeepka|4 years ago
dwild|4 years ago
For god sake, can we all agree to stop using OGNL at this point? At my previous job I kept having to fix OGNL vulnerabilities on our stack, it was awful.
Don't remember Apple developer portal hack? OGNL
What about Equifax? OGNL
This thing is so freakingly insecure it's crazy.
wcchandler|4 years ago
Also, not having confluence for a day exposed just how reliant we were on it for day-to-day activities.
vasco|4 years ago
For someone not familiar with their products, what did they do for you specifically?
darkwater|4 years ago
ccozan|4 years ago
Tip: adding noexec to /tmp helped.
echelon|4 years ago
Atlassian products are some of the worst glued-together garbage in the industry. The entire product surface area is probably rife with exploits.
Using Confluence or Jira will show you just how much Atlassian cares about its own products.
I'd love for this to be the straw that breaks the camel's back and makes IT/infosec orgs move away from this bilge.
marcus_holmes|4 years ago
Atlassian produce some of the worst tech on the planet. Trying to administer this crap is horrible.
And don't get me started on how many project managers spend all day staring at Jira tickets instead of actually talking to their teams. Management-by-Jira is a disease, a symptom of bad organisational culture.
niffydroid|4 years ago
grumple|4 years ago
Then I tried a bunch of their competitors. Still stuck with some of them.
Sadly, some of Atlassian's products - namely Confluence and Jira - are the best in the business.
Those complaining below about PMs staring at JIRA all day... well, this is a problem with PMs, not JIRA, and it happens even if they are using other work management tools. We created a middleman position in our business to deal with the stuff we didn't want to - tracking work, getting requirements, etc - and we must reap what we've sown. They become obsessed with the management stuff because that's why they exist, and they will fill their time to justify their existence.
m_eiman|4 years ago
gjvc|4 years ago
So why are they so popular? Because Jira is a wet dream for mediocre micro-managers (of all levels), allowing them to manage by ticket, instead of lead by example.
spuz|4 years ago
> ""["class"].forName(...)
as opposed to:
> "".getClass().forName(...)
Does anyone know why this works in OGNL? It does not appear to be valid Java syntax.
[1] https://github.com/httpvoid/writeups/blob/main/Confluence-RC...
Edit: Oh apparently, it's just a feature of OGNL: https://commons.apache.org/proper/commons-ognl/language-guid...
ashtonkem|4 years ago
danielscrubs|4 years ago
arminiusreturns|4 years ago
birdyrooster|4 years ago
markus_zhang|4 years ago
laurent92|4 years ago
All the people who claim it is awful software, they ignore how many people love the Atlassian suite.
polote|4 years ago
And in addition to that. When you use Saas. Security is a top priority, a Saas provider can't allow to have data of its customers leaked on the web. Whereas once again when it is internal data people will be less cautious
macksd|4 years ago
iso1631|4 years ago
tjoff|4 years ago
But a big point of hosting it internally is that you don't have to.
darepublic|4 years ago
oars|4 years ago
bgro|4 years ago
It was constant a battle of "the critical basic feature you need in this micro version is broken" and other critical functions being hidden in random places.
I applied to their engineering team citing my experience and ability to help with a lot of these things, but never even heard a response.
Current alternative software suites I've seen are beyond terrible or generally non-existent / missing major features. I'm sure there's some "pretty SaaS solutions" out there from a startup that charges exorbitant prices, but I don't believe their back end or security are going to be any better.
spullara|4 years ago
mrweasel|4 years ago
Confluence, at it's core, is just a wiki. Sometimes it needs to be available online, sometimes it really doesn't.
PaulWaldman|4 years ago
Closi|4 years ago
But so that you still can ensure data-locality or run a customised instance e.t.c. if you have requirements around that. Plus licensing is approx. 40% of the full SaaS cost at scale so may be cheaper to deploy that way.
Aachen|4 years ago
diebeforei485|4 years ago
bratbag|4 years ago
Confluence is often where the long-term docs for product/design oriented team members end up living, or at least being linked.
The easy two-way connection between Jira and confluence uses syntax any social media user will be familiar with, so non-techies can link the 'what' with the 'why' in a task before engineers even see them in a grooming session.
Anything that moves documentation and ticket preparation effort away from engineers/tech leads/team leads has a significant hidden saving.
deanCommie|4 years ago
But actually that's not the key point. Nobody buys just Confluence. That would be silly. A bland and terrible (but free) wiki software is definitely better than Confluence.
People buy JIRA. And then you've bought into the Atlassian ecosystem, and you want the nice tight integration with your wiki software
m_eiman|4 years ago
marc_h|4 years ago
lamontcg|4 years ago
https://www.cvedetails.com/product/8170/Atlassian-Jira.html?...
I would also say based on experience that if they tell you that an exploit can't be used against any of their other software that you shouldn't ever believe them.
hughw|4 years ago
escot|4 years ago
https://jira.atlassian.com/browse/CONFSERVER-67940
wly_cdgr|4 years ago
rick_ross|4 years ago
achillean|4 years ago
https://www.shodan.io/domain/ycombinator.com
At the moment, I think we're checking around 600 million hostnames.
riffic|4 years ago
zepto|4 years ago
tgsovlerkhgsel|4 years ago
If they devote more time per target, they can also go after specific data, e.g. for espionage or insider trading.
One compromised server can also serve as a foothold ("oh, you have a service account with all permissions on that server? nice!") which then allows all of the above to be launched against a bigger part of the infrastructure.
plaidfuji|4 years ago
aynyc|4 years ago