December 6, 2023 at 02:00AM
Atlassian alerted customers of four critical vulnerabilities with flawed email links that weren’t initially live. Despite the broken links, they provided direction to updated advisory pages for immediate action. The vulnerabilities affect various Atlassian products and can be fixed by upgrading to secured versions.
**Meeting Summary: Atlassian Issues Advisory on Critical Vulnerabilities**
**Critical Points:**
1. **Communication Issues**: Atlassian emailed customers about critical security vulnerabilities but included non-functional links.
2. **Vulnerability Severity**: The vulnerabilities were significant, rated 9.0 or higher on the CVSS scale.
3. **Corrective Steps**: Atlassian acknowledged the email flaw and provided workarounds for customers to access the correct information.
4. **Vulnerabilities Detailed**: Four security flaws were identified allowing remote code execution impacting a variety of Atlassian products:
– CVE‑2022‑1471 rated at 9.8/10
– CVE‑2023‑22522 rated at 9.0/10
– CVE‑2023‑22524 rated at 9.6/10
– CVE‑2023‑22523 rated at 9.8/10
5. **Resolution**: The solution for all flaws is to upgrade to a version of the product in which the flaws have been fixed.
6. **Advisory Challenges**: The initial advisory was difficult for customers to act upon due to the dead links.
7. **Atlassian’s Values**: The company’s core values focus on customer care and transparency were mentioned, suggesting an incongruity with the incident that occurred.
**Recommended Actions:**
– Review the newly provided information from Atlassian regarding the vulnerabilities and take necessary actions as instructed.
– Upgrade affected products immediately to the fixed versions to protect against the vulnerabilities.
– Monitor Atlassian’s communications for any follow-up information or additional guidance.
**Customer Impact:**
Customers experienced frustration due to the broken links and could have faced delays in taking the necessary protective actions as the correct information was not immediately accessible.
**Apology Issued**: Atlassian has apologized for the error and any inconvenience caused to customers.
**Note**: It is implied that Proofpoint’s URLdefense.com service could be a factor in the link issue, but this is not confirmed.