back to article Atlassian: Unpatched years-old flaw under attack right now to hijack Confluence

Atlassian has warned users of its Confluence collaboration tool that they should either restrict internet access to the software, or disable it, in light of a critical-rated unauthenticated remote-code-execution flaw in the product that is actively under attack. An advisory dated June 2, 1300 PT (2000 UTC), does not describe …

  1. Pascal Monett Silver badge
    WTF?

    What ?

    7.18 is more recent than 7.4 ?

    Is Atlassian using a countdown scheme on its version numbers ?

    1. Anonymous Coward
      Anonymous Coward

      Re: What ?

      18 > 4, implying that yes, 7.18 is more recent that 7.4.

    2. anothercynic Silver badge

      Re: What ?

      Someone's got a math problem here...

    3. Juillen 1

      Re: What ?

      Decimal points make all the difference. I'd expect 7.4 to be greater than 7.1.8, but less than 7.18

      1. Anonymous Coward
        Anonymous Coward

        Re: What ?

        Decimal points do make the difference. Mathematically while 18 > 4, 7.4 > 7.18.

        1. Anonymous Coward
          Anonymous Coward

          Re: What ?

          I will make a deal with anyone who disagrees with this. For each $1.9 you gve me, I will give back $1.11.

          Any takers?

        2. John Robson Silver badge

          Re: What ?

          They're not decimal points, they are just full stops denoting the split between major and minor release numbers.

          it's seven dot four and seven dot eighteen, not 7 2/5 and 7 9/50

          1. Anonymous Coward
            Anonymous Coward

            Re: What ?

            To avoid any number silliness, I just use the date as version number in YYYYMMDD format.

            1. logicalextreme

              Re: What ?

              One place I worked at had the grand idea of dispensing with numbers entirely and naming releases after dead languages, e.g. vPictish, vLatin, et cetera. Went about as well as you'd expect, especially when a drugs bust happened and the local police force turned out to have been using the same naming convention for their sting operations.

            2. Robert Helpmann??
              Childcatcher

              Re: What ?

              To avoid any number silliness, I just use the date as version number in YYYYMMDD format.

              And I am sure there will be someone out there saying the same thing except formatting it MMDDYYYY.

    4. logicalextreme

      Re: What ?

      Wiki article for great justice.

      The convention's even got its own classes in various popular high-level languages like Python, C#, Ruby, Rust, Dart and Java.

      Not that it matters because some tech's apparently ambling towards a dynamically-typed and/or stringly-typed quantum state of who-gives-a-fook.

    5. SnOOpy168

      Re: What ?

      perhaps I rewrite as

      ver 7.04 vs 7.18

      Clearer?

      1. logicalextreme

        Re: What ?

        Ah, but then if you reach 7.100 it all goes wrong again :) it's like the olden days where you'd number your lines of code 10, 20, 30…so you could add extra lines in later. Eventually you're going to run out and have to renumber everything!

  2. This post has been deleted by a moderator

  3. Anonymous Coward
    Anonymous Coward

    Good!

    I've been fighting for 18 months to be rid of this horrendous peice of garbage software, locked in proprietary doc store format that offers little over FOSS Wikis or even ( god fobid! ) Sharepoint in O365, this could be the leverage I need to finally have this abomination declared a threat and get it removed.

    1. logicalextreme

      Re: Good!

      Ours is already only available internally/via VPN, unfortunately. I'd love yet another excuse to try and get them onto MediaWiki, but I fear they wouldn't even hear me over the sound of them chugging the Flavor Aid.

      I want Atlassian to go to the bottom of the sea and stay there.

  4. Morten Bjoernsvik

    no problem here

    We're still on premise v6.2 from 2017. we do not have this feature :-)

    To get to the cloud we need to upgrade to some versions, but there are lots of database issues.

    You have to take each update step by step every version, will take forever.

    Feature maturity and terrible administration made atlassian drop on premise, just managing atlassian products are a full sys-admin/uber dba expert skill position, no one can afford.

    1. anothercynic Silver badge

      Re: no problem here

      Read it again. The remote execution exploit exists all the way back to 1.3.5:

      The bad news is it's been found to impact Confluence all the way back to version 1.3.5, which was released more than a decade ago. The good is the tech giant has promised a patch by the end of June 3, Pacific Time.

      So... I suggest you have a look at your Confluence installation tout de suite.

    2. Anonymous Coward
      Anonymous Coward

      Re: no problem here

      https://imgflip.com/i/6h95iy

  5. cd

    Stupid Question

    "Security company Volexity, which reported the flaw to Atlassian, has published an analysis of the situation that suggests attackers are able to insert a Java Server Page (JSP) webshell into a publicly accessible web directory on Confluence servers."

    Couldn't the write permissions have been removed from that directory as a temporary patch?

  6. Diogenes

    Maybe Cannon-Brookes should spend time fixing his company not the world

    Heading says it all. Background.... https://www.google.com/search?q=canon-brookes&oq=cannon-brookes&aqs=edge..69i57.6991j0j1&sourceid=chrome&ie=UTF-8&safe=active&ssui=on

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022