In the first week of January 2018, a number of computer chip manufacturers confirmed critical vulnerabilities in their processors. Under certain circumstances these vulnerabilities, named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), can allow an attacker to steal sensitive information, bypass security restrictions, and gain elevated privileges to client and server software.
Since the publication of these issues, we’ve been working hard to understand the impact on Atlassian Cloud and self-hosted products. Given that these are complex processor vulnerabilities that require patches at many levels and from many companies, we are still working on completely resolving them.
What we can tell you at this time is:
- We know about the vulnerabilities and have prioritized them in our vulnerability management process.
- The underlying AWS infrastructure, on which Atlassian Cloud is built, has been patched and Amazon has published an official statement.
- Bitbucket Pipelines has been patched.
- For all other products, we are still investigating the impact and how we can help customers mitigate risks.
If you are running Atlassian Server or Data Center products, we recommend assessing your own IT environment for risks associated with these vulnerabilities. This includes browsers, operating systems and virtual computing infrastructure. For the patches themselves, we’re aware that Intel, AWS, and others have publicly reported mixed results surrounding performance. Due to the variety of deployment options, we cannot make predictions about the performance impact to Data Center or Server instances, but recommend you work closely with your IT staff and vendors to monitor.
We will continue to work on these issues and expect this effort to continue during the coming weeks as we learn more about the risks, and as software vendors publish their own patches and advice.
Please reach out to our support team if you have additional questions.