At the end of August, Atlassian, the company behind such tools as Jira, Confluence, and Hipchat, announced the release of an update to fix the CVE-2021-26084 vulnerability in its corporate wiki tool, Confluence. Since then, security experts have seen widespread searches for vulnerable Confluence servers and active exploitation attempts. We recommend all Confluence Server administrators update as soon as possible.
What is CVE-2021-26084?
CVE-2021-26084 is a vulnerability in Confluence. It originates from the use of Object-Graph Navigation Language (OGNL) in Confluence’s tag system. The vulnerability permits the injection of OGNL code and thus execution of arbitrary code on computers with Confluence Server or Confluence Data Center installed. In some cases, even a user who is not authenticated can exploit the vulnerability (if the option Allow people to sign up to create their account is active).
Atlassian considers this vulnerability critical. It has a 9.8 CVSS severity rating, and several proof-of-concepts for exploiting it, including a version that permits remote code execution (RCE), are already available online.
Which versions of Confluence are vulnerable?
The situation is a bit complicated. Atlassian’s clients use different versions of Confluence and are not known for performing timely updates. According to Atlassian’s official description, the company has released updates for versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0. That leaves CVE-2021-26084 exploitable on Confluence Server versions preceding 6.13.23, from 6.14.0 to 7.4.11, from 7.5.0 to 7.11.6, and from 7.12.0 to 7.12.5. This vulnerability does not affect Confluence Cloud users.
How to stay safe
Atlassian recommends using the newest Confluence version, which is 7.13.0. If that is not an option, users of 6.13.x versions are advised to update to 6.13.23; 7.4.x to 7.4.11, 7.11.x to 7.11.6, and 7.12.x to 7.12.5, respectively. The company also offers several temporary workarounds for Linux-based and Microsoft Windows–based solutions, for those who cannot accomplish even those incremental updates.
Machines running Confluence are endpoints, just like any other server. And just like any other server, they need a good security solution to make running arbitrary code significantly harder.
Also, keep in mind that exploiting the vulnerability remotely would require attackers to get into the company’s network, and experts with Managed Detection and Response–class services can detect that kind of suspicious activity. It’s also worth noting that access to Confluence should be restricted — no one outside the company should have access to internal company services.