Atlassian recommends upgrading immediately, as POC code is available and researchers have detected active exploitation in the wild.
Background
Last week, Atlassian disclosed a critical Remote Code Execution vulnerability within its on-premises Confluence platform (Confluence Server or Data Center). Depending on environment configuration, it is possible for the attacker to remotely execute code on the server without being required to authenticate.
Given the severity of the vulnerability, multiple Proofs of Concept and active vulnerability scanning/exploit attempts discovered by researchers, it is critical these platforms be upgraded immediately.
Vulnerability details
The vulnerability, CVE-2021-26084, was reported by security researcher Benny Jacob through Atlassian’s bug bounty program. It allows an authenticated user to inject Object-Graph Navigation Language (OGNL) code, resulting in arbitrary Remote Code Execution (RCE). This vulnerability has been rated critical (CVSS 9.8) and can be performed by an unauthenticated attacker if “Allow people to sign up to create their account” is enabled on the server.
Many researchers have detected active exploit attempts in the wild, coming from IP addresses located all around the world. CVE-2021-26084 joins many other high profile OGNL injection attacks, such as CVE-2017-5638. This was the Apache Struts 2 Remote Code Execution vulnerability that was exploited by attackers during the high profile Equafax breech in 2017.
Given all these factors, Rapid7 recommends upgrading impacted servers immediately, without waiting for standard patch management cycles.
Which versions are affected?
Confluence Server and Data Center versions:
- < 6.13.23
- 6.14.0 to 7.4.11
- 7.5.0 to 7.11.6
- 7.12.0 to 7.12.5
Mitigation
If at all possible, upgrade to one of the fixed versions immediately: 6.13.23, 7.4.11, 7.11.6, 7.12.5, 7.13.0.
If it is not possible to upgrade immediately, Atlassian features a script that can be run as a temporary mitigation. See their official link below.
Given the increased attack surface given by “Allow people to sign up to create their account” being enabled, it is worth considering disabling this configuration if possible.
This can be checked in the following configuration: COG > User Management > User Signup Options.
Since this configuration allows unauthenticated users to create an unprivileged account, it is possible this configuration will increase the attack surface of subsequently discovered vulnerabilities in this platform.
Still have questions?
Call the Novacoast SOC at (866) 863-9575 to speak with our briefed technicians who can advise and assist you.
Resources
Official Atlassian Advisory Including Emergency Mitigation Workaround:
https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
Rapid7 Advisory:
https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/
NVD Entry:
https://nvd.nist.gov/vuln/detail/CVE-2021-26084
