Time: April 21, 2021, 6:40 a.m.

Status: Resolved

Update: This incident has been resolved. Between 4:19 AM UTC to 6:14 AM UTC, some customers experienced issues with account management and domain claims.

Time: April 21, 2021, 6:40 a.m.

Status: Resolved

Update: This incident has been resolved. Between 4:19 AM UTC to 6:14 AM UTC, some customers experienced issues with account management and domain claims.

Time: May 18, 2021, 1:14 p.m.

Status: Postmortem

Update: ### **SUMMARY** On March 19, 2021, a security researcher participating in our [bug bounty program](https://bugcrowd.com/atlassian) notified Atlassian of a vulnerability in our Edge Networking Infrastructure that allowed specially-crafted HTTP requests to interfere with and disrupt the expected handling of network traffic using a technique known as HTTP request smuggling. This vulnerability affected the following Atlassian cloud products: Jira Work Management, Jira Service Management, Jira Software, Confluence, Bitbucket and Statuspage. We were able to patch the vulnerability on April 16, 2021. Out of an abundance of caution, we began the additional step of invalidating all established user sessions across all Atlassian products between April 16 and April 28, 2021. ### **IMPACT** The HTTP request smuggling vulnerability was not exploited and no credentials were compromised throughout this security incident. In the process of validating our patch for the vulnerability, requests related to four user sessions were mishandled by our networking infrastructure, causing some users to be presented with a page showing the site name \([sitename.atlassian.net](http://sitename.atlassian.net)\) and email address of another user. No other data or information was disclosed to or accessed by unauthorized users during the course of the testing and validation. We have since invalidated all sessions on the affected products. ### **ROOT CAUSE** The root cause was HTTP request smuggling which allowed specially-crafted HTTP requests to interfere with, and disrupt the expected handling of traffic through the load balancers used by Atlassian’s Network Edge. ### **REMEDIAL ACTIONS** Atlassian has a [comprehensive set of security practices](https://www.atlassian.com/trust/security/security-practices) in place to ensure we protect customer information and offer reliable and secure services. However, we also recognize that security incidents may still happen, and it is just as important to have effective methods for handling them. In this case we utilized our security incident response mechanism to: * develop a patch for the smuggling vulnerability * deploy the patch to all production load balancing infrastructure * invalidate all established user sessions. We apologise to our customers that were impacted throughout the duration of this security incident and thank you for your understanding. Thanks, Atlassian Customer Support

Time: May 18, 2021, 1:14 p.m.

Status: Postmortem

Update: ### **SUMMARY** On March 19, 2021, a security researcher participating in our [bug bounty program](https://bugcrowd.com/atlassian) notified Atlassian of a vulnerability in our Edge Networking Infrastructure that allowed specially-crafted HTTP requests to interfere with and disrupt the expected handling of network traffic using a technique known as HTTP request smuggling. This vulnerability affected the following Atlassian cloud products: Jira Work Management, Jira Service Management, Jira Software, Confluence, Bitbucket and Statuspage. We were able to patch the vulnerability on April 16, 2021. Out of an abundance of caution, we began the additional step of invalidating all established user sessions across all Atlassian products between April 16 and April 28, 2021. ### **IMPACT** The HTTP request smuggling vulnerability was not exploited and no credentials were compromised throughout this security incident. In the process of validating our patch for the vulnerability, requests related to four user sessions were mishandled by our networking infrastructure, causing some users to be presented with a page showing the site name \([sitename.atlassian.net](http://sitename.atlassian.net)\) and email address of another user. No other data or information was disclosed to or accessed by unauthorized users during the course of the testing and validation. We have since invalidated all sessions on the affected products. ### **ROOT CAUSE** The root cause was HTTP request smuggling which allowed specially-crafted HTTP requests to interfere with, and disrupt the expected handling of traffic through the load balancers used by Atlassian’s Network Edge. ### **REMEDIAL ACTIONS** Atlassian has a [comprehensive set of security practices](https://www.atlassian.com/trust/security/security-practices) in place to ensure we protect customer information and offer reliable and secure services. However, we also recognize that security incidents may still happen, and it is just as important to have effective methods for handling them. In this case we utilized our security incident response mechanism to: * develop a patch for the smuggling vulnerability * deploy the patch to all production load balancing infrastructure * invalidate all established user sessions. We apologise to our customers that were impacted throughout the duration of this security incident and thank you for your understanding. Thanks, Atlassian Customer Support

Time: April 30, 2021, 1:34 a.m.

Status: Resolved

Update: Between 15/Apr/21 17:20 AM PDT to 27/Apr/21 10:00 PM PDT, we experienced some cloud customers of Atlassian Support, Confluence, Jira Work Management, Jira Service Management, Jira Software, Opsgenie, Atlassian Developer, Trello, Atlassian Bitbucket, Atlassian Access, and Jira Align were logged out of there account. The issue has been resolved and the service is operating normally.

Time: April 30, 2021, 1:34 a.m.

Status: Resolved

Update: Between 15/Apr/21 17:20 AM PDT to 27/Apr/21 10:00 PM PDT, we experienced some cloud customers of Atlassian Support, Confluence, Jira Work Management, Jira Service Management, Jira Software, Opsgenie, Atlassian Developer, Trello, Atlassian Bitbucket, Atlassian Access, and Jira Align were logged out of there account. The issue has been resolved and the service is operating normally.

Time: April 19, 2021, 4:32 a.m.

Status: Investigating

Update: We are investigating an incident impacting Jira Cloud, Confluence Cloud, Bitbucket Cloud, and Statuspage. During our investigation, users may be logged out of their accounts as we work towards a resolution. We are continuing to investigate and will update this incident with more details as they are available.

Time: April 19, 2021, 4:32 a.m.

Status: Investigating

Update: We are investigating an incident impacting Jira Cloud, Confluence Cloud, Bitbucket Cloud, and Statuspage. During our investigation, users may be logged out of their accounts as we work towards a resolution. We are continuing to investigate and will update this incident with more details as they are available.

Time: March 4, 2021, 10:29 p.m.

Status: Resolved

Update: Between 17:19 UTC to 22:23 UTC, some customers experienced issues for user management systems. The root cause was a DNS issue that caused the service to not be able to connect to our database. We have deployed a fix to mitigate the issue and have verified that the services have recovered. The conditions that cause the bug have been addressed and we’re actively working on a permanent fix. The issue has been resolved and the service is operating normally.

Time: March 4, 2021, 8:22 p.m.

Status: Investigating

Update: We are investigating an issue with user management systems that are impacting SOME Atlassian Access Cloud customers. We will provide more details within two hours.

Time: March 4, 2021, 10:29 p.m.

Status: Resolved

Update: Between 17:19 UTC to 22:23 UTC, some customers experienced issues for user management systems. The root cause was a DNS issue that caused the service to not be able to connect to our database. We have deployed a fix to mitigate the issue and have verified that the services have recovered. The conditions that cause the bug have been addressed and we’re actively working on a permanent fix. The issue has been resolved and the service is operating normally.

Time: March 4, 2021, 8:22 p.m.

Status: Investigating

Update: We are investigating an issue with user management systems that are impacting SOME Atlassian Access Cloud customers. We will provide more details within two hours.