Atlassian's IT security practices drew heat from some of its customers following the disclosure of a critical flaw in one of its on-premises software products this month.
The second actively exploited critical Atlassian Confluence vulnerability revealed in less than a year set off discussions among IT practitioners about the company's overall stance on IT security and what multiple observers described as a concerning pattern of serious vulnerabilities among the vendor's products.
The remote code execution flaw means attackers can use a bug in the underlying open source Object-Graph Navigation Language (OGNL) to gain remote code execution access to Atlassian Confluence Server and Data Center, the on-premises midmarket and enterprise editions of the company's wiki software. A patch for versions 7.14.17 and up was released June 3, although customers that run Confluence in a cluster will not be able to upgrade to the fixed versions without downtime, the company said in a post to its advisory page.
As of June 14, security researchers reported as many as 5,000 servers still open to exploits of this vulnerability. A separate critical Atlassian Confluence vulnerability, stemming from an OGNL bug but unrelated to this month's vulnerability, also arose in September 2021, and ranked among the most actively exploited bugs for the year.
Atlassian's Jira Data Center software has been the subject of multiple Common Vulnerabilities and Exposures (CVE) advisories over the past year. A critical flaw in the Jira Seraph authentication framework was disclosed in July 2021; another was disclosed this week, a full-read Server Side Request Forgery (SSRF) vulnerability found in a mobile plugin for Jira Data Center and Server.
"The CVEs have been coming out often this year," wrote Rodney Nissen, senior Atlassian admin at video game company Activision Blizzard, in a blog post this week. "But I think this is just the nature of Atlassian being as big as it is now. When you have a tool with a wide adoption, it becomes an attractive target for hackers. They know they will likely come across a Jira or Confluence instance in the wild, so having methods to break in is well worth the effort."
Other IT pros took a less forgiving stance toward Atlassian's overall security posture, with some saying there is a pattern of critical, actively exploited vulnerabilities that is cause for concern.
"My clients often complain about the number of critical bugs [in Atlassian Jira]," said Luiz Quintela, an independent principal consultant at Raskere LLC, which advises large enterprise clients on Agile project management. "In fact, a few of them moved to Azure DevOps because of that."
Two customers that made the switch in 2020 were Fortune 50 financial institutions that were already Microsoft shops and could make do with a combination of tools available with Office 365, such as OneNote and Teams for collaboration and Azure DevOps for project management, Quintela said. Another, a defense contractor, evaluated VersionOne and Azure DevOps before choosing the latter in late 2021.
"It's actually hard to admit this, but Microsoft got a lot more responsive [to vulnerabilities] than they used to be, and I think Atlassian, because they have a much larger market share in things like Jira and Confluence ... they tend to be at least a little bit less responsive," Quintela said. "I don't think they care as much about security as they should ... some of these bugs should have been caught in testing."
Atlassian Confluence cloud unaffected -- or is it?
Atlassian claims in each of the recent CVE advisories that none of the CVEs affects its cloud products, although the company must also face the repercussions of its prolonged cloud outage in April as it looks to push customers away from on-premises products into the cloud.
Still, one customer that took internally managed Atlassian Confluence systems offline in the wake of this month's vulnerability said ongoing vulnerabilities in on-premises products represent a compelling argument to evaluate Atlassian cloud services.
Mike MiracleChief strategy officer, Catalogic Software Inc.
"Their cloud is updated more often," said Mike Miracle, chief strategy officer at online backup company Catalogic Software Inc., in Woodcliff Lake, N.J. "Cloud-based software comes with more modern practices and you benefit from other people's layers of protection."
Nissen, whose company uses primarily on-premises Atlassian Data Center products, was skeptical that such vulnerabilities actually don't exist in the cloud. He acknowledged, however, that Atlassian's cloud team may mitigate them faster.
"With Jira Cloud, Atlassian is a first-party maintainer of those instances," Nissen wrote in his post. "This arrangement means they can quietly handle any problems found in Jira Cloud behind the scenes."
Still, that doesn't make cloud inherently better than on-premises products for security in his view, Nissen added.
The codebase for Atlassian's cloud products diverged from on-premises products years ago, most significantly in breaking apart from monolithic apps into discrete microservices, said Atlassian Chief Trust Officer Adrian Ludwig in an interview this week. This month's Confluence vulnerability was present in the cloud version as well, he said, but was separated from other services under this microservices architecture, quickly patched and inaccessible via the public internet.
For some IT security sticklers, however, this isn't enough to say Atlassian cloud is unaffected by CVEs.
Among the most outspoken critics of Atlassian security this month was former Air Force and Space Force Chief Software Officer Nicolas M. Chaillan, now an independent consultant and member of several advisory boards for IT security startups. Chaillan blasted Atlassian's security practices in a LinkedIn post shortly after the vulnerability was first disclosed June 2, saying they had been flawed for years.
"I've lost count of how many critical CVEs Atlassian and their CVE-ridden suite have had in the last couple of years," Chaillan wrote. "All Atlassian customers, including the government, should stop using Atlassian ... products immediately."
The same goes for Atlassian cloud tools, Chaillan added in a comment on his post.
"Using SaaS doesn't mean that goes away," he said. "Worse, multi-tenancy makes it harder to secure."
Other on-premises users were relatively unconcerned about this month's vulnerability because their systems were also not accessible from the public internet. One also praised Atlassian's proactive communication about the vulnerability, which it disclosed before a patch was available.
"Atlassian is one of the few companies communicating about an issue as soon as they can, as soon as there's some mitigation, and not waiting for a patch to be published," said Frederick Ros, head of digital workplace services at Amadeus, an IT services and consulting company in Madrid.
Former DoD DevSecOps pros call out Atlassian on dependencies
The main point of contention for Chaillan and others who have worked on the Department of Defense (DoD) Platform One DevSecOps project is that Atlassian has not done more to fix vulnerabilities in the upstream open source libraries its commercial products such as Confluence and Jira contain as dependencies, or to move away from those vulnerable libraries altogether.
As a result, Atlassian Jira had one of the worst risk assessment scores of any software published as part of the Platform One Iron Bank repository of digitally signed container images at 18.2%, according to Robert Slaughter, CEO of defense contractor Defense Unicorns. Slaughter was director of Platform One at the Air Force from January 2020 until April 2021. By comparison, communication and collaboration software from Mattermost, while still not at officially approved status on the Iron Bank as of June 14, had a 76.9% score, according to Slaughter.
"With a better security posture, Atlassian would have likely never adopted those vulnerabilities to begin with [and] rather than make upstream contributions to fix those issues or move off those solutions, they keep them," Slaughter said. Platform One's risk assessment score system remains in beta, but Slaughter called Atlassian's score "shocking."
Robert SlaughterCEO, Defense Unicorns; former director of DoD Platform One
"Atlassian is for sure one of the worst offenders that is used across DoD," Slaughter said.
Atlassian officials disagree that the company's approach to dependencies isn't sound from a technical security standpoint.
"The current approach that we use for our on-premises products is that if we find there's a bug inside of a dependency, we review whether that bug is within code that is actually used inside of our application," said Atlassian's Ludwig. "If it's in a method that we never invoke, the bug exists, we acknowledge that the bug exists, but it's not really a vulnerability."
Chaillan dismissed this in his post as "nonsense."
Multiple officials from the Air Force and the DoD did not respond to online messages seeking comment about whether Atlassian products are still actively used on Platform One. However Slaughter, Chaillan in his post and another engineer at Defense Unicorns familiar with Platform One said they are.
"They use them because the tech stack is tied to it," Slaughter said, echoing Quintela's view that Atlassian lacks strong competition for Jira and Confluence. "It's a core part of people's workflow, tied to major systems."
Atlassian exec pledges renewed security efforts
While Ludwig said that Atlassian's approach to vulnerabilities remains technically sound from the company's point of view, he acknowledged that it's a difficult one for many IT pros to clearly understand. The company must step up efforts to improve its IT security image in the market, he said, and is considering new approaches to security in order to further trust among customers.
"Having people be comfortable with the approach and feel like it matches their expectations is really important, and so even though I think what we've been doing is technically correct, I don't think it's pragmatically correct," Ludwig said. "Because we're now spending time on describing what we're doing, and making people be comfortable, and it's probably going to be more efficient for us to just fix the issue."
Ludwig said his promotion last year from chief information security officer (CISO) to chief trust officer, a broader role that oversees the office of the CISO and incorporates governance and resiliency, is part of the company's efforts to assuage IT pros' concerns about its security. He didn't offer full details of the company's plans to change its approach to security but did say it will consider offering a software bill of materials that details its products' dependencies so that users can understand what they are more clearly.
"We're making changes in order to make sure that we're patching more things more frequently," he added on the topic of vulnerable dependencies. "I don't believe that that's going to make a material improvement in the quality of our product, it likely will make it a material improvement in that [Platform One risk assessment] score."
High-profile cybersecurity breaches have mounted over the last three years, most significantly in the SolarWinds attack in late 2020 and the Log4j vulnerability in late 2021. As a result, Ludwig said, Atlassian's customers, along with the rest of the tech industry, have developed more awareness and become more deeply concerned about security, especially software supply chain security.
"Three years ago, a year ago, six months ago, it would have been acceptable to say, 'We've done an evaluation and we believe this is not a vulnerability because it's not exploitable,'" he said. "We see uniformly across our data center customers now a shift toward demanding more, so we're moving in that direction."
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.