• CVE-2022-26134 – How to check and protect your Confluence

    6 June 2022
    Comments are off for this post

    Last Friday, Volexity published a zero day exploit (CVE-2022-26134) on Atlassian Confluence. This post is to share some tips on how to check your Confluence instance is safe, and also some practical advice to protect your Confluence on-prem. 

    About the vulnerability

    This bug affects all versions of Confluence since 1.3.0. It is a critical vulnerability because it allows unauthenticated users to execute code within the Confluence server remotely. According to Imperva Threat Research, there are widespread scanning and attempts of exploitation on the Internet.

    How to fix the vulnerability

    Atlassian alerted the customers promptly and responded with high priority. We are thankful that Atlassian released the fix in less than 24 hours.

    For details of the fix, please refer to the official Confluence Security Advisory 2022-06-02.

    How to check your Confluence for malicious access

    Here are some basic checks that you can execute to check for any traces of malicious attempts. If there is any occurrence, then you may want to engage the security experts for more in-depth foresenic investigation.

    URL requests containing ${

    Since one of the attack mechanisms is to use ${ in the request URL, it would be helpful to scan the web server access logs for any occurrences. Please update the path of the Apache httpd/ Nginx access logs accordingly.

    grep '${' /etc/httpd/logs/*access*.log
    grep '%24%7B' /etc/httpd/logs/*access*.log
    

    URL requests from known IP addresses

    Based on the Volexity report, there are some IP addresses which are used by the attackers. Similarly, you can grep the access logs to check for any occurrences. Note: It is possible that there may be other attackers using other IP addresses.

    grep 154.146.34.145 /etc/httpd/logs/*access*
    grep 154.16.105.147 /etc/httpd/logs/*access*
    grep 156.146.34.46 /etc/httpd/logs/*access*
    grep 156.146.34.52 /etc/httpd/logs/*access*
    grep 156.146.34.9 /etc/httpd/logs/*access*
    grep 156.146.56.136 /etc/httpd/logs/*access*
    grep 198.147.22.148 /etc/httpd/logs/*access*
    grep 198.147.22.148 /etc/httpd/logs/*access*
    grep 221.178.126.244 /etc/httpd/logs/*access*
    grep 45.43.19.91 /etc/httpd/logs/*access*
    grep 59.163.248.170 /etc/httpd/logs/*access*
    grep 64.64.228.239 /etc/httpd/logs/*access*
    grep 66.115.182.102 /etc/httpd/logs/*access*
    grep 66.115.182.111 /etc/httpd/logs/*access*
    grep 67.149.61.16 /etc/httpd/logs/*access*
    grep 98.32.230.38 /etc/httpd/logs/*access*

    How to protect your Confluence instance

    Actually, the best form of defense against unauthenticated attacks is to place the server behind the firewall. This will effectively block all attackers from mounting a direct attack remotely. That is a key reason why some security sensitive enterprises are choosing Confluence Data Center. We know that it is not possible for a software to be 100% free of bugs. So there might be another vulnerability waiting to be discovered in the future.

    By using Long Term Support release of the product, it reduces the effort to upgrade since the critical security fixes will be available as long it is architecturally possible. This contributes greatly to a quick reaction to any future zero day exploits.

    For those organizations who are working remotely, it is possible to access via VPN or use Web application firewalls for added protection. Both CloudFlare and Imperva have announced that their customers are protected from this vulnerability since they will ensure all requests are authenticated before relaying it to Confluence.

    Last but not least, do make sure the license technical contacts are up-to-date. As an Atlassian Solution Partner, we have witnessed a number of occurrences when critical alerts from Atlassian are missed due to staff turnover.

    Share this post

  • Akeles Top 10 Marketplace apps in 2021

    8 February 2022
    Comments are off for this post

    This year, we are continuing the tradition of sharing our Top 10 popular apps for Jira, Confluence and Bitbucket.

    From our perspective, Marketplace apps play a significant role for successful adoption of Atlassian platforms by

    • enabling automation to improve productivity, speed or security
    • adding features to provide additional capabilities like Business Analytics, Test Automation, etc
    • organising information to provide insight and facilitate collaboration

    This year, Atlassian Marketplace reached $2 billion in lifetime sales. This is a huge testimony of the usefulness and popularity of Marketplace apps.

    How is the ranking done?

    The ranking is based on the number of licenses (Server/DC/Cloud) customers bought in 2021.
    We felt this will be a better measure of the popularity of the app.

    In event of a tie, we go by the licensed users count, followed by the total sale value for the app.

    Akeles Top 10 List

    We are pleased to share our list for 2021 voted by the Atlassian users in Singapore. Although our list may not correspond to the global popularity in Atlassian Marketplace, it is an affirmation in the usefulness of the apps. 

    Congratulations to the winners.

    (more…)

    Share this post

  • Akeles Top 10 Marketplace Apps in 2020

    18 January 2021
    Comments are off for this post

    Time flies and we are in 2021 already. We crunched our sales numbers for Atlassian Marketplace Apps licenses to identify the developing trends.

    This year, we are sharing this list as we feel it may be useful to fellow Atlassian users looking to extract more value from Jira/Confluence/Bitbucket.

    From our perspective, Marketplace apps play a significant role for established instances by

    • enabling automation to improve productivity, speed or security
    • adding features to provide additional capabilities like Business Analytics, Test Automation, etc
    • organising information to provide insight and facilitate collaboration

    How is the ranking done?

    The ranking is based on the number of licenses (Server/DC/Cloud) we sold for each app in 2020.
    We felt this will be a better measure of the popularity of the app.

    In event of a tie, we go by the licensed users count, followed by the total sales for the app.

    Akeles Top 10 List

    We are pleased to share our list for 2020 voted by the end users in Singapore. While our list may not reflect their actual popularity in Atlassian Marketplace, it is an affirmation in the usefulness of the apps. 

    Congratulations to the winners.

    Top 10 Jira Apps for 2020

    S/NApp NamePublisher
    01ScriptRunner for JiraAdaptavist
    02JSU Automation Suite for Jira WorkflowsBeecom
    03Advanced Roadmaps (formerly Portfolio)Atlassian
    04eazyBI Reports and Charts for JiraeazyBI
    05Extension for Jira Service ManagementDeviniti
    06Jira Workflow ToolboxDecadis AG
    07Zephyr for Jira – Test ManagementSmartBear
    08Jira Misc Workflow Extensions (JMWE)Innovalog
    09Dynamic Forms for JiraDeviniti
    10BigPicture – Project Management & PPMSoftwarePlant

    Top 10 Confluence Apps for 2020

    S/NApp NamePublisher
    01Team Calendars for Confluence Atlassian
    02Gliffy Diagrams for ConfluenceGliffy
    03draw.io Diagrams for Confluence//SEIBERT/MEDIA – Draw.io
    04Comala Document ManagementComalatech
    05Table Filter and Charts for ConfluenceStiltsoft
    06Refined for Confluence | Sites & ThemesRefined
    07Excel for ConfluenceBob Swift Atlassian Apps
    08SAML Single Sign On SAML SSO Confluenceresolution Reichert Network Solutions GmbH
    09ScriptRunner for ConfluenceAdaptavist
    10Balsamiq Wireframes for ConfluenceBalsamiq

    Top 10 Bitbucket Apps for 2020

    S/NApp NamePublisher
    1ScriptRunner for BitbucketAdaptavist
    2Webhook to Jenkins for BitbucketMohami
    3Awesome Graphs for BitbucketStiltsoft
    4SAML Single Sign On (SAML SSO) Bitbucketresolution Reichert Network Solutions GmbH
    5Workzone: PullRequest WorkflowIzymes Pty Ltd
    6External Hooks by ReconquestReconquest
    7Jira Hooks for BitbucketDevOpsSystems Mueller
    8Sonar for BitbucketMibex Software GmbH
    9Snippets for Bitbucket ServerMohami
    10Microsoft Teams Connector for BitbucketGlobo Solutions

    Share this post

  • Best Practices in Jira Administration – Be a Jira Hero ebook

    27 May 2020
    Comments are off for this post
    Be a Jira Hero ebook

    This is an ebook on a collection of Jira best practices that Atlassian has gathered from Jira experts around the world.

    The title “Be a Jira Hero – A guide for Admins, by Admins” is well deserving. Therefore we recommend all Jira administrators and wannabes to read the 25 pages ebook.

    Jira Best Practices ebook

    The ebook is well-organised into different sections with short but clear snippets of wisdoms:

    1. How to keep Jira clean and simple for your users
    2. How to use issues effectively
    3. Best practices on managing Custom Fields and Screens
    4. Things to consider when building workflows
    5. Tips on managing backlog in Jira
    6. How to get people to work on the issues
    7. Best practices on designing the Jira dashboards for even more effective reporting
    8. Shortcuts & Hacks to work faster with Jira
    9. How to make use of automation to make life easier

    One Common Mistake

    For example, the book has highlighted in Tip #20 to incorporate Resolution into the workflows. We observed that a number of Jira admins who did not have formal training tends do not understand the concept of resolution. Consequently, they overlook this important step while creating new workflows. While the Jira appears to be working, the implications are some built-in reports may be inaccurate and an important piece of information is missing.

    Our Additional Jira Tip

    Dashboards are very useful if they are used correctly. Team members can have visibility on the progress and be reminded on the outstanding tasks. Furthermore, Management can have clear visibility without spending a lot of time preparing routine reports. As a result, users will understand the value of updating their tasks in Jira.

    Horizontal Bar Chart for Jira
    Multiple Filters Statistics Bar Chart Gadget

    Horse Shoe Gauge Gadget for Jira
    Horseshoe Gadget Jira

    Conclusion

    To sum up, if you are a Jira administrator, you should download the ebook and review whether you have been applying the Jira best practices.

    There is no need to provide any email address to download the book. To add on, you may also want to check out the following resources:

    Share this post