Atlassian CISO Adrian Ludwig spoke to ZDNet this week to discuss the Atlassian Confluence vulnerability — CVE-2021-26084 — and defend the company’s response to the problem.
Ludwig said the vulnerability was initially reported through Atlassian’s bug bounty program on June 30th by Benny Jacob and that their security team quickly realized it was a critical issue. The patch was available by August 15 and security bulletins were sent out on August 25.
They also submitted the vulnerability and patch to NIST and other government organizations so that it could be disseminated further. The information was sent out to Atlassian’s channel partners and account managers so that emails to customers could be sent out.
Atlassian has its own test instances of Confluence and began seeing evidence of automated exploitation around September 1. Ludwig said it was bots probing the services and attempting to exploit them using the vulnerability.
“As part of our normal process evaluating
The article Atlassian CISO: 'There will always be some number of instances of software on the internet that are out of date and being exploited' originally appeared on ZDNet.