Hi, Confluence/JIRA were updated with a fix and the password protection removed.
Thanks, Giovanni ________________________________ From: everyone <everyone-boun...@lists.inclusivedesign.ca> on behalf of Giovanni Tirloni <gtirl...@ocadu.ca> Sent: Monday, June 6, 2022 15:06 To: Jonathan Hung <jh...@ocadu.ca>; every...@lists.idrc.ocadu.ca <every...@lists.idrc.ocadu.ca>; fluid-work@lists.idrc.ocad.ca <fluid-work@lists.idrc.ocad.ca> Subject: Re: Emergency: Wiki and JIRA instances are now password protected It's safe to share this password, no worries. This is just to make it harder for automated scan tools to find us. ________________________________ From: Jonathan Hung <jh...@ocadu.ca> Sent: Monday, June 6, 2022 12:22 To: Giovanni Tirloni <gtirl...@ocadu.ca>; every...@lists.idrc.ocadu.ca <every...@lists.idrc.ocadu.ca>; fluid-work@lists.idrc.ocad.ca <fluid-work@lists.idrc.ocad.ca> Subject: RE: Emergency: Wiki and JIRA instances are now password protected Hi Gio, Is it safe to pass the http authentication credentials to partners who are actively using the wiki? Or is it expected the issue to be resolved soon enough that it’s unnecessary? Thanks for taking care of this! -Jon. From: fluid-work <fluid-work-boun...@lists.idrc.ocad.ca> On Behalf Of Giovanni Tirloni Sent: June 3, 2022 6:48 AM To: every...@lists.idrc.ocadu.ca; fluid-work@lists.idrc.ocad.ca Subject: Emergency: Wiki and JIRA instances are now password protected Hello, There is a new vulnerability<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.volexity.com%2Fblog%2F2022%2F06%2F02%2Fzero-day-exploitation-of-atlassian-confluence%2F&data=05%7C01%7Cgtirloni%40ocadu.ca%7Cf8d7cefc07024da2ae5b08da47e748ad%7C06e469d12d2a468fae9b7df0968eb6d7%7C0%7C0%7C637901355929019904%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PZWklhByBoUPx%2Fce3pykdaPsbW1FOw7iq4OuBFXXTNU%3D&reserved=0> currently affecting Confluence (Wiki) that allows an attacker to take over servers by submitting a specially crafted request. Atlassian has not made available a fix for this issue yet and in order to stop attackers from automated tools, I have had to enable HTTP Basic Authentication on both the Wiki and JIRA instances. Username: fluid Password: fluid I will keep monitoring the situation and remove the password protection as soon as we are able to deploy a fix for this. Please note this is in addition to the normal Confluence/JIRA user authentication. After entering the HTTP basic authentication credentials, you'll be prompted for your personal username/password, if you're not logged in yet. Sorry for the inconvenience. Please report any issues you may find. Regards, Giovanni Tirloni DevOps Engineer Inclusive Design Research Centre, OCAD University https://status.inclusivedesign.ca<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstatus.inclusivedesign.ca%2F&data=05%7C01%7Cgtirloni%40ocadu.ca%7Cf8d7cefc07024da2ae5b08da47e748ad%7C06e469d12d2a468fae9b7df0968eb6d7%7C0%7C0%7C637901355929176132%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bzDeQiCsYKDYot7TVyqvkLxiQh08ym%2BM2DrO9c2xrtI%3D&reserved=0>
_______________________________________________________ fluid-work mailing list - fluid-work@lists.idrc.ocad.ca To unsubscribe, change settings or access archives, see https://lists.idrc.ocad.ca/mailman/listinfo/fluid-work