Background
On August 25, 2021, Atlassian published an advisory for a vulnerability in its Confluence server titled
“CVE-2021-26084: Atlassian Confluence OGNL Injection”
CVE ID |
CVSS Score V3 |
CVSS Criticality |
Type |
Description |
CVE-2021-26084 |
9.8 |
Critical |
Remote Code Execution |
Atlassian Confluence OGNL Injection Vulnerability |
Analysis
CVE-2021- 26084
This is a vulnerability on the Atlassian Confluence Server which allows an unauthenticated attacker to perform remote command execution by taking advantage of an insecure handling of OGNL (Object-Graph Navigation Language) on affected Confluence servers. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
Initially, Atlassian advisory stated that an authenticated attacker or “in some instances” an unauthenticated attacker — depending on the configuration — could exploit the flaw. But Atlassian updated this statement on September 4, 2021, with authentication is not required to exploit the vulnerability, and it has been exploited in the wild.
Solutions and Recommendations
Heading into this long weekend, we strongly recommend customers running on-prem confluence review Atlassian’s advisory to ensure they are not running a vulnerable version and apply patches immediately if you are. While Threat Actors are only known to be abusing CVE-2021-26084 to install crypto-miner malware today, this can quickly escalate to other attacks such as ransomware.
Atlassian has released a patch advisory for CVE-2021-26084 on August 25 and it can be reviewed here: https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
References
Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.