Atlassian was so kind to update their mailing lists somewhere over the last year or so. Previously, they would email the 'technical contact' of the license about any vulnerabilities. They quietly switched to some other notification system and never informed us about it. Hence we missed the update and got a free Bitcoin miner. Thanks Atlassian, I'll make sure to get your products out of the door as soon as possible.
[edit] Oh it's even better. Their site says 'Note: if you are a tech administrator, you will always receive these notifications.' but they never mailed us. Great job, Atlassian, great job.
Another issue is that they sent out the initial communication on August 25th (which I did receive), but the original wording indicated that it only affected servers that allowed user self-registration. We didn’t have that enabled, so I held off for a bit because the risk seemed lower and our upgrade process is a bit arduous (we have quite a few customizations on the server and need to perform all upgrades on a test instance and validate first) and our instance requires authentication through a load balancer before it’s even accessible.
Then, Atlassian updated the ticket a day later to state the issue affected all servers on the affected versions regardless of user authentication or registration but didn’t send out a follow up communication when they did so. Instead they waited until Friday afternoon before a US holiday weekend to send out another update. So if you weren’t watching the source ticket directly and thought you could wait due to the setting distinction you wouldn’t have known for over a week and you were left vulnerable.
Atlassian should have sent out another communication to all customers as soon as they knew the scope was broader than they had initially thought.
100%, I did the same thing on my side. If shit really hit the fan I could've lost my job because of this as it was my call to not patch. When I went back to the link provided in the email the self-registration part was removed so I looked like a complete tool over zoom when trying to explain this situation to my boss
If it helps you at all, we aren’t the only ones who were blindsided by the severity-level update and lack of further communication. There are several comments on the source ticket calling out the poor communication, and the earlier comments are all asking for clarification about the user registration requirement: https://jira.atlassian.com/browse/CONFSERVER-67940
Both I and another colleague looked at the issue when it first came out and decided we were “safe” for a bit based on the initial communication. Many IT/IS teams were probably scrambling over the long weekend to patch this issue.
I only got the 'update' from last Saturday, by then it was too late already. Their original advisory was from the 25th, they should have mailed me back then.
If you got the one from Sep 4, you definitely should have gotten the one from Aug 25.
This is unrelated to any mailing-list change, since both were sent from/to the 10991049.xt.local mailing list.
Search for the header entry `List-ID: <10991049.xt.local>` in your Sep 4 email. If it came from that list, the one from Aug 25 will very likely have been lost during transit.
I use their products in the 10-user license program since 2016 and got automatically subscribed to their mailing list back then, and never made some change to the subscription. I'm receiving emails from that list since 2020-10-17.
On the 2020-07-10 I got a mail from them telling me:
```
Subject: Please double-check your contact details for Atlassian
Making sure you don't miss important emails
Hi,
When you purchased your Atlassian products, we asked for the contact information for two types of people in your organization:
Billing contact - A person we contact with invoice and billing information
Technical contact - A person we contact about product changes, security advisories, etc.
We don't want your company to miss out on important information from Atlassian, so please take a minute to make sure your contact information is current. Here's what we have in our system:
I'm listed as the technical contact and have been for 5+ years and also get the regular mails to 'verify contact details'. I did not get the Aug 25 email. I did get the Sep 4 mail from that list ID.
Once I noticed I did not get an email, on Sep 3, I checked some checkboxes at https://my.atlassian.com/email
But that page also says tech contacts should always receive an email regardless of settings. I have received other security announcements in the past.
Office 365 can't find any emails from Atlassian on Aug 25 when searching using the Message trace tool (which also includes any spam mails, deleted mails, et cetera), so I would suggest Atlassian fix their mailing list.
How big is your organisation? I know it shouldn’t matter but your CS person would likely have reached out if they’re anything like Amazon, Microsoft, Salesforce, etc.
I’ve always found government, sensitive customers (banks, payment processors, healthcare) and big spenders get prioritised with phone call notifications.
However with a deprecated product, the financial impact is so minuscule - leadership won’t prioritise this one unless you’re big fish.
your CS person would likely have reached out if they’re anything like Amazon, Microsoft, Salesforce, etc.
The only companies that are like those companies are those companies.
In most companies, the CS people don't know what anything in that sort of alert means and will discard it thinking that it's a spam or phishing attempt.
The problem is not that he doesn't work for a megacorp. The problem is that Atlassian screwed up.
I think the claim here is that Atlassian's post-sales account representatives ("customer success"?) would have proactively reached out to the technical contacts of large companies with a personal email - and known exactly what person to talk to, because they stay in touch - because Atlassian is an organization like Amazon, Microsoft, or Salesforce.
I think you're reading it as saying that the helpdesk people ("customer support"?) at a large organization like Amazon, Microsoft, or Salesforce would be trained to recognize a mis-directed email from a vendor and send it to the right place, but I don't think that's the claim being made.
If O365 can't find the email and the O365 message tracing does not show anything, it seems likely that the mail was not actually delivered by Atlassian. If O365 looses mails and these mails do not show up in message tracing either (i.e., not classified as spam), we would probably have heard about that by now.
Also, regardless of whether or not I received the mail, the initial mail stated that only authorized users could exploit this. So Atlassian did not inform any of their users fully until Sep 4, whereas they were well aware on Aug 26 that the vulnerability was exploitable by anyone.
> If O365 looses mails and these mails do not show up in message tracing either (i.e., not classified as spam), we would probably have heard about that by now.
Internet email has never been considered a highly-reliable messaging system; its quite possible an infrequent data loss in a mail server would get misattributed to a failure outside.
Heck, even ignoring the unreliability of email generally, in fact, your assumption that it must not occur because you haven't previously heard about it demonstrates how that might happen.
> Internet email has never been considered a highly-reliable messaging system
While that may be true, it seems vastly less likely to be the cause for the GP not receiving precisely this mail... Given that several other commenters only on this page mention not being able to find any evidence of having received this particular missive, William of Ockham would fall over with laughter at the idea that they all just happened to have email system glitches at the exact same mail.
But that is not the main point. Even if the email was lost somewhere in Office 365, people were already pointing out to Atlassian that they should really send a follow up on Aug 27:
The follow-up-request was to notify users that the advisory has been updated, not to ensure that customers received the Aug 25 email which linked to that advisory.
Either is was Atlassian's mailing list software which did not attempt to re-send the email to you after it noticed that the connection got dropped (should that have happened), or is was Microsoft which dropped the email after receiving it, but before storing it into the database and assigning it to your account.
You cannot know who is responsible for this delivery error unless you ask them directly.
They absolutely do silent drops of email they consider suspect. Anybody who works with email can tell you this. What this metric is nobody knows outside their walls. Google and other big providers do this too, some regard Microsoft a bit more skittish perhaps.
Yes, I did. I also ran an Exchange Message Trace (this is just standard Office 365, nothing fancy) and there was only 1 message from Atlassian in the last 15 days which was the update email that was too late to prevent exploitation. So they did not email me in time.
[edit] Oh it's even better. Their site says 'Note: if you are a tech administrator, you will always receive these notifications.' but they never mailed us. Great job, Atlassian, great job.