Reverted: Wiki and JIRA instances are now password protected

Thu Jun 16 19:19:52 UTC 2022

Hi,

Confluence/JIRA were updated with a fix and the password protection removed.

Thanks,
Giovanni
________________________________
From: everyone <everyone-bounces at lists.inclusivedesign.ca> on behalf of Giovanni Tirloni <gtirloni at ocadu.ca>
Sent: Monday, June 6, 2022 15:06
To: Jonathan Hung <jhung at ocadu.ca>; everyone at lists.idrc.ocadu.ca <everyone at lists.idrc.ocadu.ca>; fluid-work at lists.idrc.ocad.ca <fluid-work at lists.idrc.ocad.ca>
Subject: Re: Emergency: Wiki and JIRA instances are now password protected

It's safe to share this password, no worries. This is just to make it harder for automated scan tools to find us.
________________________________
From: Jonathan Hung <jhung at ocadu.ca>
Sent: Monday, June 6, 2022 12:22
To: Giovanni Tirloni <gtirloni at ocadu.ca>; everyone at lists.idrc.ocadu.ca <everyone at lists.idrc.ocadu.ca>; fluid-work at lists.idrc.ocad.ca <fluid-work at lists.idrc.ocad.ca>
Subject: RE: Emergency: Wiki and JIRA instances are now password protected

Hi Gio,

Is it safe to pass the http authentication credentials to partners who are actively using the wiki? Or is it expected the issue to be resolved soon enough that it’s unnecessary?

Thanks for taking care of this!

-Jon.

From: fluid-work <fluid-work-bounces at lists.idrc.ocad.ca> On Behalf Of Giovanni Tirloni
Sent: June 3, 2022 6:48 AM
To: everyone at lists.idrc.ocadu.ca; fluid-work at lists.idrc.ocad.ca
Subject: Emergency: Wiki and JIRA instances are now password protected

Hello,

There is a new vulnerability<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.volexity.com%2Fblog%2F2022%2F06%2F02%2Fzero-day-exploitation-of-atlassian-confluence%2F&data=05%7C01%7Cgtirloni%40ocadu.ca%7Cf8d7cefc07024da2ae5b08da47e748ad%7C06e469d12d2a468fae9b7df0968eb6d7%7C0%7C0%7C637901355929019904%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PZWklhByBoUPx%2Fce3pykdaPsbW1FOw7iq4OuBFXXTNU%3D&reserved=0> currently affecting Confluence (Wiki) that allows an attacker to take over servers by submitting a specially crafted request.

Atlassian has not made available a fix for this issue yet and in order to stop attackers from automated tools, I have had to enable HTTP Basic Authentication on both the Wiki and JIRA instances.

Username: fluid

Password: fluid

I will keep monitoring the situation and remove the password protection as soon as we are able to deploy a fix for this.

Please note this is in addition to the normal Confluence/JIRA user authentication. After entering the HTTP basic authentication credentials, you'll be prompted for your personal username/password, if you're not logged in yet.

Sorry for the inconvenience. Please report any issues you may find.

Regards,

Giovanni Tirloni

DevOps Engineer

Inclusive Design Research Centre, OCAD University

https://status.inclusivedesign.ca<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstatus.inclusivedesign.ca%2F&data=05%7C01%7Cgtirloni%40ocadu.ca%7Cf8d7cefc07024da2ae5b08da47e748ad%7C06e469d12d2a468fae9b7df0968eb6d7%7C0%7C0%7C637901355929176132%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bzDeQiCsYKDYot7TVyqvkLxiQh08ym%2BM2DrO9c2xrtI%3D&reserved=0>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.idrc.ocad.ca/pipermail/fluid-work/attachments/20220616/703db95d/attachment.htm>