I don’t think this is needed here or should get the security tag, as there seems no novel aspect that would be worth mentioning beyond “there is a critical vulnerability in some proprietary product for certain configurations”.
You should avoid exposing internal enterprise services without additional security protections and or a good update strategy, such as SSO via nginx before any requests get routed - of course that will make scripted use via tokens more challenging.
It seems like only on-premises deployments are affected and the attack surface is further reduced if the on-premises deployment is not directly accessible on the internet. I guess the administrators of the on-premises Confluence deployment just need to update / apply a security patch. And if they haven’t patched it by now, of course they need to do an analysis if they were exploited and clean up all the viruses and ransomware. Customers of the cloud solutions don’t have to do anything. Still, it seems pretty bad. It would be fun if a greyhat simply exploited all the internet-facing deployments and updated them by using the vulnerability.
Oof, came here to say “sucks to be you, you should’ve upgraded” but then I read the comments on Ars Technica and… oh boy, so much pain and hurt is being expressed there about how hard Atlassian makes it to upgrade, and about the general quality of their code.
I guess it’s not just affecting clueless sysadmins who should’ve known better.
I don’t think this is needed here or should get the security tag, as there seems no novel aspect that would be worth mentioning beyond “there is a critical vulnerability in some proprietary product for certain configurations”.
You should avoid exposing internal enterprise services without additional security protections and or a good update strategy, such as SSO via nginx before any requests get routed - of course that will make scripted use via tokens more challenging.
oh i took “Atlassian’s senior management is all but begging customers to take immediate action.” to mean get eyeballs on this asap?
It seems like only on-premises deployments are affected and the attack surface is further reduced if the on-premises deployment is not directly accessible on the internet. I guess the administrators of the on-premises Confluence deployment just need to update / apply a security patch. And if they haven’t patched it by now, of course they need to do an analysis if they were exploited and clean up all the viruses and ransomware. Customers of the cloud solutions don’t have to do anything. Still, it seems pretty bad. It would be fun if a greyhat simply exploited all the internet-facing deployments and updated them by using the vulnerability.
Oof, came here to say “sucks to be you, you should’ve upgraded” but then I read the comments on Ars Technica and… oh boy, so much pain and hurt is being expressed there about how hard Atlassian makes it to upgrade, and about the general quality of their code.
I guess it’s not just affecting clueless sysadmins who should’ve known better.