On March 19, 2021, a security researcher participating in our bug bounty program notified Atlassian of a vulnerability in our Edge Networking Infrastructure that allowed specially-crafted HTTP requests to interfere with and disrupt the expected handling of network traffic using a technique known as HTTP request smuggling. This vulnerability affected the following Atlassian cloud products: Jira Work Management, Jira Service Management, Jira Software, Confluence, Bitbucket and Statuspage. We were able to patch the vulnerability on April 16, 2021. Out of an abundance of caution, we began the additional step of invalidating all established user sessions across all Atlassian products between April 16 and April 28, 2021.
The HTTP request smuggling vulnerability was not exploited and no credentials were compromised throughout this security incident.
In the process of validating our patch for the vulnerability, requests related to four user sessions were mishandled by our networking infrastructure, causing some users to be presented with a page showing the site name (sitename.atlassian.net) and email address of another user. No other data or information was disclosed to or accessed by unauthorized users during the course of the testing and validation. We have since invalidated all sessions on the affected products.
The root cause was HTTP request smuggling which allowed specially-crafted HTTP requests to interfere with, and disrupt the expected handling of traffic through the load balancers used by Atlassian’s Network Edge.
Atlassian has a comprehensive set of security practices in place to ensure we protect customer information and offer reliable and secure services. However, we also recognize that security incidents may still happen, and it is just as important to have effective methods for handling them.
In this case we utilized our security incident response mechanism to:
We apologise to our customers that were impacted throughout the duration of this security incident and thank you for your understanding.
Thanks,
Atlassian Customer Support