Atlassian Confluence Critical OGNL Vulnerability

A critical vulnerability has been discovered in Atlassian's Confluence Server and Data Center products that could allow a remote attacker to execute arbitrary commands and gain full access to affected systems. The vulnerability also appears to be under active exploitation.

Threat ID:: CC-3934
Threat Severity:: High
Threat Vector:: Exploit
Published:: 4 September 2021 1:54 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 6.13.23, 6.14.0 - 7.4.10 (all prior to 7.4.11), 7.5.0 - 7.11.5 (all prior to 7.11.6), and 7.12.0 - 7.12.4 (all prior to 7.12.5)

Atlassian Confluence Server

Versions: all prior to 6.13.23, 6.14.0 - 7.4.10 (all prior to 7.4.11), 7.5.0 - 7.11.5 (all prior to 7.11.6), and 7.12.0 - 7.12.4 (all prior to 7.12.5)

Atlassian Confluence Data Center

Threat details

Introduction

Atlassian has identified a critical Object-Graph Navigation Language (OGNL) injection vulnerability, CVE-2021-26084, affecting their Confluence Server and Confluence Data Center products. They claim that an unauthenticated attacker could exploit this vulnerability to take control of an affected system.

Confluence Cloud not affected

Atlassian has confirmed that Confluence Cloud is not affected by CVE-2021-26084.

Vulnerability details

CVE-2021-26084 appears to be the result of Confluence Server and Data Center failing to adequately secure code inputs, allowing a user to bypass the built-in OGNL security protections. If successful, they would then be able to execute arbitrary code on the affected Confluence Server and Data Center instance.

Proof-of-concepts and active exploitation

Several proof-of-concepts exploits for CVE-2021-26084 have been made publicly available and are already beginning to appear in multiple ongoing attacks.

Remediation advice

Affected organisations must review Confluence Security Advisory - 2021-08-25 and apply the necessary updates. Atlassian has confirmed that only the following Confluence Server and Data Center versions are not vulnerable:

6.13.23
7.4.11
7.11.6
7.12.5
7.13.0

If your organisation's Confluence Server and Data Center estate is not fully updated to these versions then you are still vulnerable.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2021-26084

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

Last edited: 6 September 2021 4:24 pm