Skip to main content
Atlassian Confluence Critical OGNL Vulnerability

A critical vulnerability has been discovered in Atlassian's Confluence Server and Data Center products that could allow a remote attacker to execute arbitrary commands and gain full access to affected systems. The vulnerability also appears to be under active exploitation.

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

A critical vulnerability has been discovered in Atlassian's Confluence Server and Data Center products that could allow a remote attacker to execute arbitrary commands and gain full access to affected systems. The vulnerability also appears to be under active exploitation.


Threat details

Introduction

Atlassian has identified a critical Object-Graph Navigation Language (OGNL) injection vulnerability, CVE-2021-26084, affecting their Confluence Server and Confluence Data Center products. They claim that an unauthenticated attacker could exploit this vulnerability to take control of an affected system.

Confluence Cloud not affected

Atlassian has confirmed that Confluence Cloud is not affected by CVE-2021-26084.

Vulnerability details

CVE-2021-26084 appears to be the result of Confluence Server and Data Center failing to adequately secure code inputs, allowing a user to bypass the built-in OGNL security protections. If successful, they would then be able to execute arbitrary code on the affected Confluence Server and Data Center instance.

Proof-of-concepts and active exploitation

Several proof-of-concepts exploits for CVE-2021-26084 have been made publicly available and are already beginning to  appear in multiple ongoing attacks.


Remediation advice

Affected organisations must review Confluence Security Advisory - 2021-08-25 and apply the necessary updates. Atlassian has confirmed that only the following Confluence Server and Data Center versions are not vulnerable:

  • 6.13.23
  • 7.4.11
  • 7.11.6
  • 7.12.5
  • 7.13.0

If your organisation's Confluence Server and Data Center estate is not fully updated to these versions then you are still vulnerable.



Last edited: 6 September 2021 3:24 pm