All Systems Operational
Past Incidents
May 27, 2022

No incidents reported today.

May 26, 2022

No incidents reported.

May 25, 2022

No incidents reported.

May 24, 2022

No incidents reported.

May 23, 2022

No incidents reported.

May 22, 2022

No incidents reported.

May 21, 2022

No incidents reported.

May 20, 2022

No incidents reported.

May 19, 2022
Resolved - This incident has been resolved.
May 19, 13:06 EEST
Monitoring - On April 20th 2022 at 20:00 EEST, Atlassian has published a critical security advisory affecting majority of on-premise installed Jira-products (Jira Core, Jira Software, Jira Service Desk), excluding only a few of the most recent releases. A remote, unauthenticated attacker could exploit the vulnerability by requesting a specially crafted URL which would then bypass authentication and authorization in certain parts of the application, mainly in the first and third party apps, resulting at least in information disclosure, but also possibly in elevation of privileges.

Although the vulnerability is in the core of Jira (or more specifically in the authentication framework used by Jira, Seraph), it affects first party (provided by Atlassian) and third party (provided via Atlassian Marketplace) apps that use a vulnerable configuration.

We at Ambientia are working hard to secure our customers' environments against this vulnerability. Our primary approach is to mitigate the vulnerability in the short term by upgrading all the affected apps (plugins). In the case that we are not able to upgrade the plugins to a non-vulnerable version (e.g. because the Jira version in the environment in question does not support newer versions of the plugins), we have been upgrading Jira itself to a fixed version, which also provides a long term fix for the issue. We are in direct contact with all the customers who are affected and provide information on what type of approach has been taken now and what actions (if any) need still to be done.

The long term solution to protect against this vulnerability is to do an upgrade to a fixed Jira version, meaning that all customers should be prepared for an upgrade shortly, including those customers whose environments have been temporarily protected by updating the plugins.

We are closely monitoring the situation and are prepared to take additional measures if so required.

Apr 20, 20:13 EEST
Resolved - This incident has been resolved.
May 19, 13:05 EEST
Monitoring - We have received information from both Atlassian (see their FAQ here) and Liferay stating that the core software from either vendor is not vulnerable to the known, existing exploits. Both Atlassian and Liferay will issue fixes for their software that addresses this issue by including a fixed version of the Spring Framework out of abundance of caution.

However, third party extensions might be vulnerable. We are currently working with Atlassian plugin vendors to assess the situation on a case-by-case basis.

Ambientia has identified environments that are directly affected and fixes for services that require immediate action are taken care of. As stated previously, even though majority of services managed by Ambientia that include Spring Framework are not currently affected, we maintain the position that it is likely that additional attack vectors will surface, which requires upgrades in many services that are currently not affected by existing exploits. We will be individually in touch with customers regarding these upgrades.

Apr 4, 13:01 EEST
Update - We are continuing to investigate this issue.
Apr 1, 10:09 EEST
Investigating - During Thursday, 31st of March 2022 Ambientia has been made aware of a vulnerability in the Spring Framework, which, under certain circumstances, makes it possible for unauthenticated attackers to execute code on remote systems.

We are working to fully understand the impact of this vulnerability to systems managed by Ambientia. Thus far we have concluded that the particular deployment scenario for which the exploit is circulating does not largely fit our deployment model of Spring applications. Deployments that still run on Java 8 are also not affected, as this issue is rooted in changes introduced in Java 9.

We are closely monitoring the situation and will implement any fixes, mitigations and upgrades suggested by our technology vendors. We are also planning to upgrade any and all systems utilizing affected Spring Framework versions to a fixed version, since it is likely that additional attack vectors will surface. We will directly contact our customers whose systems require upgrades.

We have also protected services with Cloudflare's Web Application Firewall, which already has filtering rules available to mitigate the vulnerability. Note that this only affects customers who have an active Cloudflare subscription in place.

Mar 31, 18:53 EEST
May 18, 2022

No incidents reported.

May 17, 2022

No incidents reported.

May 16, 2022

No incidents reported.

May 15, 2022

No incidents reported.

May 14, 2022

No incidents reported.

May 13, 2022

No incidents reported.