By security practitioners, for security practitioners innovate | novacoast federal | novaSOC | novacoast
By security practitioners, for security practitioners

Critical Remote Code Execution Vulnerability Impacts On-Premises Confluence Environments

Atlassian recommends upgrading immediately, as POC code is available and researchers have detected active exploitation in the wild.

Background

Last week, Atlassian disclosed a critical Remote Code Execution vulnerability within its on-premises Confluence platform (Confluence Server or Data Center). Depending on environment configuration, it is possible for the attacker to remotely execute code on the server without being required to authenticate.

Given the severity of the vulnerability, multiple Proofs of Concept and active vulnerability scanning/exploit attempts discovered by researchers, it is critical these platforms be upgraded immediately.

Vulnerability details 

The vulnerability, CVE-2021-26084, was reported by security researcher Benny Jacob through Atlassian’s bug bounty program. It allows an authenticated user to inject Object-Graph Navigation Language (OGNL) code, resulting in arbitrary Remote Code Execution (RCE). This vulnerability has been rated critical (CVSS 9.8) and can be performed by an unauthenticated attacker if “Allow people to sign up to create their account” is enabled on the server.
 
Many researchers have detected active exploit attempts in the wild, coming from IP addresses located all around the world. CVE-2021-26084 joins many other high profile OGNL injection attacks, such as CVE-2017-5638. This was the Apache Struts 2 Remote Code Execution vulnerability that was exploited by attackers during the high profile Equafax breech in 2017.
 
Given all these factors, Rapid7 recommends upgrading impacted servers immediately, without waiting for standard patch management cycles.

Which versions are affected?

Confluence Server and Data Center versions:

  • < 6.13.23
  • 6.14.0 to 7.4.11
  • 7.5.0 to 7.11.6
  • 7.12.0 to 7.12.5 

 
Mitigation

If at all possible, upgrade to one of the fixed versions immediately: 6.13.23, 7.4.11, 7.11.6, 7.12.5, 7.13.0.
 
If it is not possible to upgrade immediately, Atlassian features a script that can be run as a temporary mitigation. See their official link below.
 
Given the increased attack surface given by “Allow people to sign up to create their account” being enabled, it is worth considering disabling this configuration if possible.

This can be checked in the following configuration: COG > User Management > User Signup Options.

Since this configuration allows unauthenticated users to create an unprivileged account, it is possible this configuration will increase the attack surface of subsequently discovered vulnerabilities in this platform.

Still have questions?

Call the Novacoast SOC at (866) 863-9575 to speak with our briefed technicians who can advise and assist you.

Resources

Official Atlassian Advisory Including Emergency Mitigation Workaround:
https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html 

Rapid7 Advisory:
https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/

NVD Entry:
https://nvd.nist.gov/vuln/detail/CVE-2021-26084

Previous Post

ProxyToken Exchange Vulnerability Allows Attacker To Intercept Others’ Emails

Next Post

Palo Alto Patches a Series of Vulnerabilities Impacting PAN-OS and Cortex XSOAR Platforms

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.