> Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
I don't remember if it was this one, but Confluence had a pre-login vulnerability a while back that was actively exploited on DI2E, which had been the DoD's largest unclassified system, used as a collaboration and platform layer for all defense and intelligence projects that didn't have their own isolated environment, ironically only a couple months before it was scheduled to sunset anyway. They had to lock and bring down their entire data center for months before they could be sure everything was clean, and all defense projects that didn't have their planning data backed up somewhere else just lost it that entire time. And we'll never know how many programs that were considered sensitive but not enough to be classified had planning data compromised or by whom.
The only reason Atlassian hasn't totally lost the entire US government at this point is inertia and the remaining influence of however many thousands of agile consultants and project managers out there just love Jira and don't want anyone to move their cheese.
We once had a meeting with our ex-CTO. The question was how do you envision the technical future of Atlassian. The most popular tag was "fire", referring to the "Five-alarm fire" program they introduced to fight a series or emerging outages. This program was over at the time when we had this poll. Seems like everyone in the org saw that in 2021. Later it was confirmed multiple times, with one of the services down for almost a week for some clients, and TBH with other outages. And in 2021 the CTO just ignored the most popular "fire" answer saying something "while we're getting votes coming in, let's talk about..."
They replaced CTO, but it didn't help. At this point I'm pretty confident it's about founders who cannot keep it under control. So you know, this org is 70-80% KTLO.
There is pretty substantial number of folks who hate Jira, TBH. But you're the reason is their stock is still flat, and the entire company worth something.
Even if it's flat you can find a time frame when it's up. The reality is it's not the best stock by any means, and it will never will be. Why? Because it's Atlassian. No-innovation, KTLO-kind-of-company.
They probably don't hate Jira, but specific implementations of it, which can easily turn to shit with bad management because the tool is flexible enough to allow it.
> At this point I'm pretty confident it's about founders who cannot keep it under control.
They seem to be purely on the growth-by-acquisition trend, hell almost all of their products are acquisitions that have been more-or-less shoddily "integrated"... just a week ago they bought Loom for a billion $ - money that would have been better invested in bringing their code and service quality up to speed.
Atlassian is enshittification-as-a-service, just that this time it isn't the general population being squeezed but large corporations.
Atlassian mentions in their original advisory[0] that Cloud is not vulnerable. But Atlassian usually just... leaves it at that. No clarification on if Cloud was ever vulnerable in the past or whether there was any evidence of exploitation attempts on Cloud customers. Something I wish they would provide more details on as my company is also an Atlassian customer.
In all of these advisories there has never once been a mention of cloud being vulnerable. I think it's safe to assume cloud runs a similar, if not identical, codebase, and that these issues are simply patched there first before vulnerability announcements are published. But that's the type of thing no company is ever going to be willing to say in public.
Someone in here claimed recently that the Cloud products were forked many years ago, which sounds believable - there's tons of little stuff that only works on either Cloud or on-prem.
You mean confluence won't run in your jvm with a default 128mb heap? Then I guess so, I'm not aware of any way a java application can automatically increase the heap size of the vm it's running in.
> Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.