Another issue is that they sent out the initial communication on August 25th (which I did receive), but the original wording indicated that it only affected servers that allowed user self-registration. We didn’t have that enabled, so I held off for a bit because the risk seemed lower and our upgrade process is a bit arduous (we have quite a few customizations on the server and need to perform all upgrades on a test instance and validate first) and our instance requires authentication through a load balancer before it’s even accessible.
Then, Atlassian updated the ticket a day later to state the issue affected all servers on the affected versions regardless of user authentication or registration but didn’t send out a follow up communication when they did so. Instead they waited until Friday afternoon before a US holiday weekend to send out another update. So if you weren’t watching the source ticket directly and thought you could wait due to the setting distinction you wouldn’t have known for over a week and you were left vulnerable.
Atlassian should have sent out another communication to all customers as soon as they knew the scope was broader than they had initially thought.
100%, I did the same thing on my side. If shit really hit the fan I could've lost my job because of this as it was my call to not patch. When I went back to the link provided in the email the self-registration part was removed so I looked like a complete tool over zoom when trying to explain this situation to my boss
If it helps you at all, we aren’t the only ones who were blindsided by the severity-level update and lack of further communication. There are several comments on the source ticket calling out the poor communication, and the earlier comments are all asking for clarification about the user registration requirement: https://jira.atlassian.com/browse/CONFSERVER-67940
Both I and another colleague looked at the issue when it first came out and decided we were “safe” for a bit based on the initial communication. Many IT/IS teams were probably scrambling over the long weekend to patch this issue.
Then, Atlassian updated the ticket a day later to state the issue affected all servers on the affected versions regardless of user authentication or registration but didn’t send out a follow up communication when they did so. Instead they waited until Friday afternoon before a US holiday weekend to send out another update. So if you weren’t watching the source ticket directly and thought you could wait due to the setting distinction you wouldn’t have known for over a week and you were left vulnerable.
Atlassian should have sent out another communication to all customers as soon as they knew the scope was broader than they had initially thought.