Atlassian: Unpatched years-old flaw under attack right now to hijack Confluence Atlassian has warned users of its Confluence collaboration tool that they should either restrict internet access to the software, or disable it, in light of a critical-rated unauthenticated remote-code-execution flaw in the product that is actively under attack. An advisory dated June 2, 1300 PT (2000 UTC), does not describe …
One place I worked at had the grand idea of dispensing with numbers entirely and naming releases after dead languages, e.g. vPictish, vLatin, et cetera. Went about as well as you'd expect, especially when a drugs bust happened and the local police force turned out to have been using the same naming convention for their sting operations.
Wiki article for great justice.
The convention's even got its own classes in various popular high-level languages like Python, C#, Ruby, Rust, Dart and Java.
Not that it matters because some tech's apparently ambling towards a dynamically-typed and/or stringly-typed quantum state of who-gives-a-fook.
I've been fighting for 18 months to be rid of this horrendous peice of garbage software, locked in proprietary doc store format that offers little over FOSS Wikis or even ( god fobid! ) Sharepoint in O365, this could be the leverage I need to finally have this abomination declared a threat and get it removed.
We're still on premise v6.2 from 2017. we do not have this feature :-)
To get to the cloud we need to upgrade to some versions, but there are lots of database issues.
You have to take each update step by step every version, will take forever.
Feature maturity and terrible administration made atlassian drop on premise, just managing atlassian products are a full sys-admin/uber dba expert skill position, no one can afford.
Read it again. The remote execution exploit exists all the way back to 1.3.5:
The bad news is it's been found to impact Confluence all the way back to version 1.3.5, which was released more than a decade ago. The good is the tech giant has promised a patch by the end of June 3, Pacific Time.
So... I suggest you have a look at your Confluence installation tout de suite.
"Security company Volexity, which reported the flaw to Atlassian, has published an analysis of the situation that suggests attackers are able to insert a Java Server Page (JSP) webshell into a publicly accessible web directory on Confluence servers."
Couldn't the write permissions have been removed from that directory as a temporary patch?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
