692 points by daniaal 1638 days ago | 336 comments on HN
| Mild positive Editorial · v3.7· 2026-02-28 14:05:20 0
Summary Digital Security & Work Infrastructure Advocates
This ZDNET article reports on active mass exploitation of CVE-2021-26084, a critical Atlassian Confluence vulnerability, emphasizing urgent patching requirements and collective IT community response. The content strongly advocates for infrastructure protection through transparent reporting of official warnings, technical analysis, and actionable guidance, with particular focus on safeguarding workplace documentation systems and labor environments. Editorial stance consistently supports digital security as foundational to work, privacy, and collective welfare.
A colleague who runs security at an ASX 200 company found crypto mining running within a day of the vulnerability being announced. They've since patched and cleaned up the hosts they run Data Centre on. Patch quickly, and check for the IoCs listed in Daniaal's tweet below.
My employer was bit by this on Wednesday. Thankfully we had Crowdstrike on it which blocked any real damage. But it definitely moved our cloud migration from “later this year” to “later this month”.
Also, not having confluence for a day exposed just how reliant we were on it for day-to-day activities.
Atlassian was so kind to update their mailing lists somewhere over the last year or so. Previously, they would email the 'technical contact' of the license about any vulnerabilities. They quietly switched to some other notification system and never informed us about it. Hence we missed the update and got a free Bitcoin miner. Thanks Atlassian, I'll make sure to get your products out of the door as soon as possible.
[edit] Oh it's even better. Their site says 'Note: if you are a tech administrator, you will always receive these notifications.' but they never mailed us. Great job, Atlassian, great job.
That's one of the selling point of Saas compared to hosted instance honestly. Some company think that having Confluence hosted internally is going to increase the security. But this is wrong. When you rely on a Saas provider. The provider has people who monitor the infrastructure constantly whereas when you hosted on your own server, the confluence instance is just one of the many services that they manage. And even if some company will be very reactive to events like this. The majority of companies will be much slower.
And in addition to that. When you use Saas. Security is a top priority, a Saas provider can't allow to have data of its customers leaked on the web. Whereas once again when it is internal data people will be less cautious
The good thing about the fact that Atlassian offers both on-prem and cloud versions of their offerings is, everyone is now aware of the awful engineering practices that underpin their products. We have to assume that there are problems of a similar nature in their cloud service, which is way more of a problem considering the number of orgs that depend on the JIRA SaaS offering.
Maybe the founders could have used some of that time spent planning a tunnel between their side-by-side $100M houses, or engaged in Twitter rants, to actually bother delivering value to customers. It’s only a matter of time before this product suite is disrupted, and it might represent one of the most obvious low-hanging opportunities in our entire industry.
I still remember being in line at a WWDC a few years back, overhearing someone ask a developer, “where do you work?” When the developer responded with “HipChat,” the other person immediately chuckled and said, “oh — Atlassian... I’m sorry” — and then everyone around them also started laughing. It’s amazing that this company continues to fall up, and that the founders have taken on roles as the ruling digital gurus of Australia (shows you why it’s so easy for the government to run circles around the local tech industry and pass whatever laws they want).
> The vulnerability only affects on-premise servers, not those hosted in the cloud.
This is a dangerous statement to make and should be revised to say:
> The vulnerability only affects standalone versions of the software, not the managed service of confluence provided directly by Atlassian.
The problem with the former is that lesser technical people, especially directors, might assume they're fine because their standalone instances are hosted on GCP/AWS/Azure, which counts to them as "cloud".
I would also say based on experience that if they tell you that an exploit can't be used against any of their other software that you shouldn't ever believe them.
> An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.
For god sake, can we all agree to stop using OGNL at this point? At my previous job I kept having to fix OGNL vulnerabilities on our stack, it was awful.
I spent years "working on" (battling) our own company-hosted Atlassian suite. I'm a software engineer / architect and was thrown admin powers to get a project up and running.
It was constant a battle of "the critical basic feature you need in this micro version is broken" and other critical functions being hidden in random places.
I applied to their engineering team citing my experience and ability to help with a lot of these things, but never even heard a response.
Current alternative software suites I've seen are beyond terrible or generally non-existent / missing major features. I'm sure there's some "pretty SaaS solutions" out there from a startup that charges exorbitant prices, but I don't believe their back end or security are going to be any better.
So that users can be at home or on a mobile device without requiring them to have VPN.
But so that you still can ensure data-locality or run a customised instance e.t.c. if you have requirements around that. Plus licensing is approx. 40% of the full SaaS cost at scale so may be cheaper to deploy that way.
Never used it, but a quick perusal of its Wikipedia article mentions that it was a rewrite of something else using ANTLR, which implies a separate syntax.
This isn't always true. Using a SaaS is outsourcing these concerns, and sometimes you're outsourcing them to someone who will do better than you would and sometimes worse. I've worked on a couple of SaaS where security was absolutely not top priority. Especially in Silicon Valley, organizations often value growth over sound processes, fully staffed security teams, and managing tech debt. Many a SaaS has leaked customer data and survived, so many think they CAN allow that risk.
Nit: I wouldn't say "originating". That's where this specific exploit is coming from "most recently". But it would seem to not be script kiddies and they're listing like 8 countries. I would assume the bad actors could be anywhere, proxying traffic through any number of other places.
I have no idea why you're being downvoted - this is true.
Atlassian produce some of the worst tech on the planet. Trying to administer this crap is horrible.
And don't get me started on how many project managers spend all day staring at Jira tickets instead of actually talking to their teams. Management-by-Jira is a disease, a symptom of bad organisational culture.
So why are they so popular? Because Jira is a wet dream for mediocre micro-managers (of all levels), allowing them to manage by ticket, instead of lead by example.
Bitbucket recently has shockingly poor reliability. Quite often you see nothing on the status page but see other people having issues on twitter. We've nearly migrated everything to github, plus github has better features and more powerful.
There are many jira alternatives out there, from what I can tell. Why are they not disrupted already, if it’s such a low hanging fruit? (Honest question - I don’t have any personal preference)
It's the selling point of self hosting. My jira is behind x509 client certs, others I know are behind oidc connections. You need to be an authenticated user to even load the page. There's two layers of protection from two different companies.
Then I tried a bunch of their competitors. Still stuck with some of them.
Sadly, some of Atlassian's products - namely Confluence and Jira - are the best in the business.
Those complaining below about PMs staring at JIRA all day... well, this is a problem with PMs, not JIRA, and it happens even if they are using other work management tools. We created a middleman position in our business to deal with the stuff we didn't want to - tracking work, getting requirements, etc - and we must reap what we've sown. They become obsessed with the management stuff because that's why they exist, and they will fill their time to justify their existence.
Reserving 1% because I'd strike "lesser technical" from your final sentence. The misleading quote is simply not correct. It is misleading because it's not true. It says Confluence hosted in the cloud is not vulnerable. False statement that can mislead anyone regardless of how technical they are.
It is awful, the worst "search engine" which exists. I absolutely hate it and this is the only thing which wants to make me move away from Confluence. When you need it the most, and this happens often, you know that you definitely cannot rely on it. Any data you put in there is lost, unless you have a good hierarchy and know what to find where without relying on the search.
> The good thing about the fact that Atlassian offers both on-prem and cloud versions of their offerings is, everyone is now aware of the awful engineering practices that underpin their products.
Regardless of what one thinks about Atlassian, this is a completely ridiculous bullshit statement, and anyone who works in the world of business software knows it.
I don't think there is a company out there that hasn't had critical CVEs, nor most major open source projects, either.
Microsoft had a recent vulnerability in their Azure Cosmos DB product that left thousands of customers' data unprotected. Google has released multiple patches to Chrome in the past month.
If you demand you'll only use products from companies or open source projects that have never had a major CVE, you'll be writing a lot of your own software that probably has even worse security.
A far stretch to conclude that this event can equate to awful engineering.
The rest of this your comment reads like you continue to be naive to Atlassian’s success. I have to think many people do find unique value in their products (myself included), some people don’t laugh rudely when they hear what folks are working on, and I think that shows in the overall achievements of the Atlassian team and product.
I’ve witnessed first hand truly fantastic organizational changes after adopting Jira, Confluence, etc., and I wouldn’t continue to write them off so easily.
Another issue is that they sent out the initial communication on August 25th (which I did receive), but the original wording indicated that it only affected servers that allowed user self-registration. We didn’t have that enabled, so I held off for a bit because the risk seemed lower and our upgrade process is a bit arduous (we have quite a few customizations on the server and need to perform all upgrades on a test instance and validate first) and our instance requires authentication through a load balancer before it’s even accessible.
Then, Atlassian updated the ticket a day later to state the issue affected all servers on the affected versions regardless of user authentication or registration but didn’t send out a follow up communication when they did so. Instead they waited until Friday afternoon before a US holiday weekend to send out another update. So if you weren’t watching the source ticket directly and thought you could wait due to the setting distinction you wouldn’t have known for over a week and you were left vulnerable.
Atlassian should have sent out another communication to all customers as soon as they knew the scope was broader than they had initially thought.
And look at the stock. If someone told me it would ever reach $180, would have been shocked. It’s now $384. And it’s outperforming the expectations all the time.
All the people who claim it is awful software, they ignore how many people love the Atlassian suite.
Article exemplifies freedom of expression and information by reporting on official security warnings, publishing expert analysis, and enabling public discourse on critical infrastructure threats.
FW Ratio: 64%
Observable Facts
Article publishes verbatim US Cybercom official warning.
Article strongly advocates protecting work environments by warning of active exploitation targeting workplace infrastructure (Confluence widely used in enterprise settings).
FW Ratio: 67%
Observable Facts
Article identifies Confluence as 'widely deployed...used primarily in collaborative corporate environments' and 'defacto standard for enterprise documentation.'
Article provides specific patching versions, workaround script, and urgency framing ('patch immediately...cannot wait until after the weekend').
Article quotes Vulcan Cyber CEO: 'there is a very real chance components of the platform are Internet exposed.'
Article emphasizes administrators should 'deploy [patch] with extra haste.'
Inferences
Identifying Confluence's role in workplace documentation respects workers' stakes in infrastructure security.
Providing urgent patching guidance prioritizes workplace protection above other business considerations.
Article frames collective IT community response to vulnerability threat; reports 'A number of IT leaders took to social media to confirm' exploitation.
FW Ratio: 60%
Observable Facts
Article states: 'A number of IT leaders took to social media to confirm that it was indeed being exploited.'
Article publishes information enabling IT professionals to coordinate protective response.
Article includes quotes from Vulcan Cyber CEO advocating teams 'need to fight fire with fire' through collective action.
Inferences
Reporting on collective IT community response demonstrates respect for freedom of association.
Publishing shared threat information enables coordination without requiring centralized authority.
Repeated language: 'Mass exploitation...is ongoing and expected to accelerate', 'this is bad', 'It's only a matter of time before we start seeing active exploitation in the wild'
build 1ad9551+j7zs · deployed 2026-03-02 09:09 UTC · evaluated 2026-03-02 13:57:54 UTC
Support HN HRCB
Each evaluation uses real API credits. HN HRCB runs on donations — no ads, no paywalls.
If you find it useful, please consider helping keep it running.