Atlassian account session invalidations
Incident Report for Jira Software
Postmortem

SUMMARY

On March 19, 2021, a security researcher participating in our bug bounty program notified Atlassian of a vulnerability in our Edge Networking Infrastructure that allowed specially-crafted HTTP requests to interfere with and disrupt the expected handling of network traffic using a technique known as HTTP request smuggling. This vulnerability affected the following Atlassian cloud products: Jira Work Management, Jira Service Management, Jira Software, Confluence, Bitbucket and Statuspage. We were able to patch the vulnerability on April 16, 2021. Out of an abundance of caution, we began the additional step of invalidating all established user sessions across all Atlassian products between April 16 and April 28, 2021.

IMPACT

The HTTP request smuggling vulnerability was not exploited and no credentials were compromised throughout this security incident.

In the process of validating our patch for the vulnerability, requests related to four user sessions were mishandled by our networking infrastructure, causing some users to be presented with a page showing the site name (sitename.atlassian.net) and email address of another user. No other data or information was disclosed to or accessed by unauthorized users during the course of the testing and validation. We have since invalidated all sessions on the affected products.

ROOT CAUSE

The root cause was HTTP request smuggling which allowed specially-crafted HTTP requests to interfere with, and disrupt the expected handling of traffic through the load balancers used by Atlassian’s Network Edge.

REMEDIAL ACTIONS

Atlassian has a comprehensive set of security practices in place to ensure we protect customer information and offer reliable and secure services. However, we also recognize that security incidents may still happen, and it is just as important to have effective methods for handling them.

In this case we utilized our security incident response mechanism to:

  • develop a patch for the smuggling vulnerability
  • deploy the patch to all production load balancing infrastructure
  • invalidate all established user sessions.

We apologise to our customers that were impacted throughout the duration of this security incident and thank you for your understanding.

Thanks,

Atlassian Customer Support

Posted May 18, 2021 - 12:57 UTC

Resolved
Between 15/Apr/21 17:20 AM PDT to 27/Apr/21 10:00 PM PDT, we experienced some cloud customers of Atlassian Support, Confluence, Jira Work Management, Jira Service Management, Jira Software, Opsgenie, Atlassian Developer, Trello, Atlassian Bitbucket, Atlassian Access, and Jira Align were logged out of there account. The issue has been resolved and the service is operating normally.
Posted Apr 30, 2021 - 01:34 UTC
Investigating
We are investigating an incident impacting Jira Cloud, Confluence Cloud, Bitbucket Cloud, and Statuspage. During our investigation, users may be logged out of their accounts as we work towards a resolution. We are continuing to investigate and will update this incident with more details as they are available.
Posted Apr 19, 2021 - 04:32 UTC