Maybe the founders could have used some of that time spent planning a tunnel between their side-by-side $100M houses, or engaged in Twitter rants, to actually bother delivering value to customers. It’s only a matter of time before this product suite is disrupted, and it might represent one of the most obvious low-hanging opportunities in our entire industry.
I still remember being in line at a WWDC a few years back, overhearing someone ask a developer, “where do you work?” When the developer responded with “HipChat,” the other person immediately chuckled and said, “oh — Atlassian... I’m sorry” — and then everyone around them also started laughing. It’s amazing that this company continues to fall up, and that the founders have taken on roles as the ruling digital gurus of Australia (shows you why it’s so easy for the government to run circles around the local tech industry and pass whatever laws they want).
Regardless of what one thinks about Atlassian, this is a completely ridiculous bullshit statement, and anyone who works in the world of business software knows it.
I don't think there is a company out there that hasn't had critical CVEs, nor most major open source projects, either.
Microsoft had a recent vulnerability in their Azure Cosmos DB product that left thousands of customers' data unprotected. Google has released multiple patches to Chrome in the past month.
If you demand you'll only use products from companies or open source projects that have never had a major CVE, you'll be writing a lot of your own software that probably has even worse security.
Any sufficiently complicated product will eventually have major CVEs, as you say. Anyone having hosted Atlassians product know that these products are nothing but garbage fires on the inside, as the commenter above said.
Both of these statements are true and not mutually exclusive in any way.
Think about that for a second. If someone finds a vulnerability in JIRA, they don’t just find a vulnerability in that software: they’ve got access to support tickets, issue tracking, etc about lots of vulnerabilities in lots of software. That’s a big deal.
The fact that the US government had to step in and say PLEASE TAKE THIS SERIOUSLY, rather than Atlassian going into a Code Red situation, shows that they just don’t take the level of responsibility they’ve been given as seriously as is required for what they’re doing. This isn’t just some lousy app having a CVE. This is the keys to the kingdom for a lot of very critical software. This is systemic risk. The problem isn’t the code, it’s the culture.
If you “work in the world of business software” and you think that’s a “complete bullshit statement,” I really hope you don’t work on anything for which such systemic risk is possible. Because, to turn your statement back on you, that’s a complete bullshit way to treat the responsibility you have for the data with which you’ve been trusted. Go build a social media app or an online shopping site or something, and stay out of critical systems that can create cascading vulnerabilities.
Confluence has become an absolutely disgusting, bloated Javascript beast. The amount of JS that it loads is unbelievable.
I’m not really sure what the point of the rant is. It’s not as if such a comment conclusion is as big of deal to reality as an idiot staying unvaccinated.
But I get it; someone is “wrong”* on the internet.
* where wrong is defined very specifically to one or a handful of particular readers but the error doesn’t rise to being a real problem for humanity
Well that and spending any amount of time using it and feeling the crustiness.
You can't easily dump Jira if you are using Jira, confluence, bitbucket, and whatever their CI/CD product is called (bamboo?)
Everything from sales to support to customizations and integrations matter to companies, especially as they grow and develop their own teams and management structures which require the software mold into their workflows. Whether the management processes are the best is a different conversation, but being able to support any scenario is why Jira and Confluence are so successful.
It's the same reason why Salesforce has dominated CRMs even with so many "modern" alternatives around.
I've tried a lot of these products and in the end come back to Jira because it works better on average for everyone.
If you come to a venue like Hacker News, you'll mostly be getting opinions of the people who actually use the product. These opinions do not reflect the interests and priorities of the people who decide which product to buy.
I work with a Jira instance that has something like 20 years of history and over half a million tickets. Migrating just the tickets and their comments might be possible, but migrating all the other metadata and every service and automation we've integrated into the workflows (some of which we depend on to be able to work at all) would take months of work if a suitable alternative even exists in the first place.
If it were just tickets and some CI integrations, migrating away from Jira would be trivial, but that's not where all the value is.
The rest of this your comment reads like you continue to be naive to Atlassian’s success. I have to think many people do find unique value in their products (myself included), some people don’t laugh rudely when they hear what folks are working on, and I think that shows in the overall achievements of the Atlassian team and product.
I’ve witnessed first hand truly fantastic organizational changes after adopting Jira, Confluence, etc., and I wouldn’t continue to write them off so easily.
Nothing Atlassian does is that much better than past tooling, it all comes down to how you want to run your org, what discipline you apply, and where you apply it.
Wow, This is incredibly mean.
There are still not any knowledge base tools that can keep up with Confluence. For Jira the competition is slowly catching up but there are still a large gap for big organizations. That's why they are still here, their product is still superior to the competition.
Atlassian get a lot of criticism, that's not always justified
For my part, I've spent enough time using both Atlassian products and competitors to find something to hate in all of them. Familiarity breeds contempt.
No. It's because their products are sticky in nature. The tools are used to hold the current state and historic knowledge of the organisation, and even the thought of replacing one of them gives IT manager types the shakes.
Yeah, I think that perception used to be pretty hardcore years ago.
I eventually realised that so many, many companies use this software as a backbone to their company and operations. And for the majority of those, the companies like it. So much so that instead of migrating to a competitor, they move to the new cloud offering.
[0] https://www.realestate.com.au/news/the-list-australias-top-t...
That might be the most disconnected-from-reality statement in this entire discussion.
Whatever you think about the quality of Atlassian's products, they are ridiculously entrenched and about as easy to "disrupt" as Microsoft Windows.
They just sell their feature list to CEO’s and Product Manager/Scrum Lords, and suddenly Atlassian is an absolute requirement.
This was already obvious to anyone actually using their products.
It's probably because they primarily target non technical folks. Our IT department has inherited numerous Atlassian products adopted by business units and it takes at least a year or two to unwind them if ever.
In the meantime the just keep cashing those checks.
And what are these practices?
> assume that there are problems of a similar nature in their cloud service
?
> then everyone around them also started laughing
You know, I'm sure that highly paid dev felt just fine.
NIST Link to issue: https://nvd.nist.gov/vuln/detail/CVE-2021-26084
Tweet from USCYBERCOM urging users to patch: https://twitter.com/CNMF_CyberAlert/status/14337876717851852...
Tweet from BadPackets showing where the bad actors are originating from: https://twitter.com/bad_packets/status/1433157632370511873
But on the “attacks coming from”, I’ve never understood putting stock in these. Aren’t these all going to be proxies and botnets?
For the bug in question, I bet the vast majority of webservers never need the ability to call unrestricted Runtime.exec(), yet access to that is just one unsanitized input away from complete control over your server.
OS vendors have made leaps and bounds in the past decade making it much harder for code vulnerabilities to lead to system takeover. I'd argue it's time for server code and language runtimes to make it easier to write secure code.
[edit] Oh it's even better. Their site says 'Note: if you are a tech administrator, you will always receive these notifications.' but they never mailed us. Great job, Atlassian, great job.
Then, Atlassian updated the ticket a day later to state the issue affected all servers on the affected versions regardless of user authentication or registration but didn’t send out a follow up communication when they did so. Instead they waited until Friday afternoon before a US holiday weekend to send out another update. So if you weren’t watching the source ticket directly and thought you could wait due to the setting distinction you wouldn’t have known for over a week and you were left vulnerable.
Atlassian should have sent out another communication to all customers as soon as they knew the scope was broader than they had initially thought.
This is a dangerous statement to make and should be revised to say:
> The vulnerability only affects standalone versions of the software, not the managed service of confluence provided directly by Atlassian.
The problem with the former is that lesser technical people, especially directors, might assume they're fine because their standalone instances are hosted on GCP/AWS/Azure, which counts to them as "cloud".
Reserving 1% because I'd strike "lesser technical" from your final sentence. The misleading quote is simply not correct. It is misleading because it's not true. It says Confluence hosted in the cloud is not vulnerable. False statement that can mislead anyone regardless of how technical they are.
They said "lesser technical people", not "less-technical people". A more technical person might not be able to read between the lines, but a better technical person should.
Here follows the definitions I am familiar with:
"premise" - a house or building, together with its land and outbuildings, occupied by a business or considered in an official context.
"premise" - a previous statement or proposition from which another is inferred or follows as a conclusion.
(I have the privilege of worrying about this because my company uses Confluence Cloud. It's vastly inferior to our old aelf-hosted mediawiki, but at least it's not an open barn door.)
Really though, "self-hosted" would make even more sense, as companies often deploy such applications in one or more "off prem" environments anyway. I'd hardly consider my company's multi-region/multi-AZ AWS VPC to be my "premise".
We got hit by this and had to shut down and upgrade. Atlassian are taking a while to send new license keys.
For god sake, can we all agree to stop using OGNL at this point? At my previous job I kept having to fix OGNL vulnerabilities on our stack, it was awful.
Don't remember Apple developer portal hack? OGNL
What about Equifax? OGNL
This thing is so freakingly insecure it's crazy.
Also, not having confluence for a day exposed just how reliant we were on it for day-to-day activities.
For someone not familiar with their products, what did they do for you specifically?
Our teams were also able to do a “network isolation” and essentially bring the server offline quickly, without touching more pieces and possibly exposing our credentials or tokens.
We also had the paid Overwatch protection which is Crowdstrikes 24/7 security monitoring solution which resulted in an actual person emailing half our team at 1am letting us know this was happening and their recommended remediation steps.
FWIW, we dumped crowdstrike for Cisco AMP and have been happy.
Tip: adding noexec to /tmp helped.
Atlassian products are some of the worst glued-together garbage in the industry. The entire product surface area is probably rife with exploits.
Using Confluence or Jira will show you just how much Atlassian cares about its own products.
I'd love for this to be the straw that breaks the camel's back and makes IT/infosec orgs move away from this bilge.
Atlassian produce some of the worst tech on the planet. Trying to administer this crap is horrible.
And don't get me started on how many project managers spend all day staring at Jira tickets instead of actually talking to their teams. Management-by-Jira is a disease, a symptom of bad organisational culture.
At some project size, measured either by software complexity/interoperability or user base, you will need a tool to manage issues and tasks.
What you're talking about is an organization where developers are not empowered - but even empowered developers need an issue tracker or a board of some description.
A "management by jira" culture will not be remediated by tooling.
Then I tried a bunch of their competitors. Still stuck with some of them.
Sadly, some of Atlassian's products - namely Confluence and Jira - are the best in the business.
Those complaining below about PMs staring at JIRA all day... well, this is a problem with PMs, not JIRA, and it happens even if they are using other work management tools. We created a middleman position in our business to deal with the stuff we didn't want to - tracking work, getting requirements, etc - and we must reap what we've sown. They become obsessed with the management stuff because that's why they exist, and they will fill their time to justify their existence.
Since you are looking mostly for the wiki part there is Dokuwiki which is magnitudes better at being a wiki. Remember, wiki is derived from the Hawaiian word for quick or something to that effect and whatever Confluence is it isn't quick.
Don't know how well it will hold up under scrutiny if black hats gets a reason to swarm over it, but unlike Confluence you can hire someone to patch the guts of it if necessary.
Edit: I have no reason to believe it is worse than anything else, I'm just pointing out it probably hasn't had so much exposure to help it harden.
I would say it is very darn complete, perhaps without the syntactic linking that Confluence has. The only thing missing from it, is a very solid backup and restore method from the admin panel. The authors want users to rely on database backups and file level backups, that must be handled manually. Essentially saying "not my problem".
VisualEditor is an extremely good WYSIWYG interface. The wiki is able to scale well (project sites are unlikely to approach Wikipedia scale). The API is useful. Wikitext editing gives power users a lot of flexibility, though it’s not as popular as Markdown.
Access control & edit-publish workflow options may be too limited for the desires of some project teams.
http://www.xwiki.org/xwiki/bin/view/Main/WebHome
https://xwiki.com/en/try-xwiki/
[1] https://www.wired.com/story/australia-encryption-law-global-...
So why are they so popular? Because Jira is a wet dream for mediocre micro-managers (of all levels), allowing them to manage by ticket, instead of lead by example.
New thing? Let’s open a new JIRA project and prefix with some random shit show workflow customised by someone who was clearly asleep or incompetent!
> ""["class"].forName(...)
as opposed to:
> "".getClass().forName(...)
Does anyone know why this works in OGNL? It does not appear to be valid Java syntax.
[1] https://github.com/httpvoid/writeups/blob/main/Confluence-RC...
Edit: Oh apparently, it's just a feature of OGNL: https://commons.apache.org/proper/commons-ognl/language-guid...
No, the rest of the company shouldn't be required to enter the complex and esoteric world of Git and fire up a terminal + a bloated code editor and deal with merge conflicts just so they can collaborate on a simple text doc.
This reads like a horror story I'd find on the landing page of some Saas tool under a heading that reads, "The Problem"
All the people who claim it is awful software, they ignore how many people love the Atlassian suite.
And in addition to that. When you use Saas. Security is a top priority, a Saas provider can't allow to have data of its customers leaked on the web. Whereas once again when it is internal data people will be less cautious
I agree that a lot of Saas startup are going to neglect security. But here we are talking about Knowledge base tools Saas companies. This is not some standard Saas company. They know they are in charge of company internal secrets. Or at lest I hope
But a big point of hosting it internally is that you don't have to.
It was constant a battle of "the critical basic feature you need in this micro version is broken" and other critical functions being hidden in random places.
I applied to their engineering team citing my experience and ability to help with a lot of these things, but never even heard a response.
Current alternative software suites I've seen are beyond terrible or generally non-existent / missing major features. I'm sure there's some "pretty SaaS solutions" out there from a startup that charges exorbitant prices, but I don't believe their back end or security are going to be any better.
Confluence, at it's core, is just a wiki. Sometimes it needs to be available online, sometimes it really doesn't.
(This is opposed to the lazy model, where your aplication is fully exposed to the web and you click log in and it redirects to SSO - if there is a vulnerability that doesn't require authentication you're already compromised)
The proxy will handle sign in and passes traffic to/from the webserver backend, and you should not be able to send a single HTTP request to the underlying application without the proxy capturing authentication and who the user that sent the request was.
But so that you still can ensure data-locality or run a customised instance e.t.c. if you have requirements around that. Plus licensing is approx. 40% of the full SaaS cost at scale so may be cheaper to deploy that way.
Confluence is often where the long-term docs for product/design oriented team members end up living, or at least being linked.
The easy two-way connection between Jira and confluence uses syntax any social media user will be familiar with, so non-techies can link the 'what' with the 'why' in a task before engineers even see them in a grooming session.
Anything that moves documentation and ticket preparation effort away from engineers/tech leads/team leads has a significant hidden saving.
But actually that's not the key point. Nobody buys just Confluence. That would be silly. A bland and terrible (but free) wiki software is definitely better than Confluence.
People buy JIRA. And then you've bought into the Atlassian ecosystem, and you want the nice tight integration with your wiki software
https://www.cvedetails.com/product/8170/Atlassian-Jira.html?...
I would also say based on experience that if they tell you that an exploit can't be used against any of their other software that you shouldn't ever believe them.
https://www.shodan.io/domain/ycombinator.com
At the moment, I think we're checking around 600 million hostnames.
If they devote more time per target, they can also go after specific data, e.g. for espionage or insider trading.
One compromised server can also serve as a foothold ("oh, you have a service account with all permissions on that server? nice!") which then allows all of the above to be launched against a bigger part of the infrastructure.
That doesn’t explain what the benefit of the attack is. It just explains that it’s an effective attack.
