{"id":18741,"date":"2021-09-06T15:37:13","date_gmt":"2021-09-06T11:37:13","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/confluence-server-cve-2021-26084\/18741\/"},"modified":"2021-09-06T15:37:13","modified_gmt":"2021-09-06T11:37:13","slug":"confluence-server-cve-2021-26084","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/confluence-server-cve-2021-26084\/18741\/","title":{"rendered":"Update your Confluence server now"},"content":{"rendered":"<p>At the end of August, Atlassian, the company behind such tools as Jira, Confluence, and Hipchat, announced the release of an update to fix the <a href=\"https:\/\/jira.atlassian.com\/browse\/CONFSERVER-67940\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2021-26084<\/a> vulnerability in its corporate wiki tool, Confluence. Since then, security experts have <a href=\"https:\/\/searchsecurity.techtarget.com\/news\/252506129\/Atlassian-Confluence-flaw-under-active-attack\" target=\"_blank\" rel=\"nofollow noopener\">seen<\/a> widespread searches for vulnerable Confluence servers and active exploitation attempts. We recommend all Confluence Server administrators <a href=\"https:\/\/www.atlassian.com\/software\/confluence\/download-archives\" target=\"_blank\" rel=\"nofollow noopener\">update<\/a> as soon as possible.<\/p>\n<h2>What is CVE-2021-26084?<\/h2>\n<p>CVE-2021-26084 is a vulnerability in Confluence. It originates from the use of Object-Graph Navigation Language (OGNL) in Confluence\u2019s tag system. The vulnerability permits the injection of OGNL code and thus execution of arbitrary code on computers with Confluence Server or Confluence Data Center installed. In some cases, even a user who is not authenticated can exploit the vulnerability (if the option <em>Allow people to sign up to create their account <\/em>is active).<\/p>\n<p>Atlassian considers this vulnerability critical. It has a 9.8 CVSS severity rating, and several <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/poc-proof-of-concept\/\" target=\"_blank\" rel=\"noopener\">proof-of-concepts<\/a> for exploiting it, including a version that permits <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/remote-code-execution-rce\/\" target=\"_blank\" rel=\"noopener\">remote code execution<\/a> (RCE), are already available online.<\/p>\n<h2>Which versions of Confluence are vulnerable?<\/h2>\n<p>The situation is a bit complicated. Atlassian\u2019s clients use different versions of Confluence and are not known for performing timely updates. According to Atlassian\u2019s \u00a0official description, the company has released updates for versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0. That leaves CVE-2021-26084 exploitable on Confluence Server versions preceding 6.13.23, from 6.14.0 to 7.4.11, from 7.5.0 to 7.11.6, and from 7.12.0 to 7.12.5. This vulnerability does not affect Confluence Cloud users.<\/p>\n<h2>How to stay safe<\/h2>\n<p>Atlassian recommends using the newest Confluence version, which is 7.13.0. If that is not an option, users of 6.13.<em>x<\/em> versions are advised to update to 6.13.23; 7.4.<em>x<\/em> to 7.4.11, 7.11.<em>x<\/em> to 7.11.6, and 7.12.<em>x<\/em> to 7.12.5, respectively. The company also offers <a href=\"https:\/\/confluence.atlassian.com\/doc\/confluence-security-advisory-2021-08-25-1077906215.html\" target=\"_blank\" rel=\"nofollow noopener\">several temporary workarounds<\/a> for Linux-based and Microsoft Windows\u2013based solutions, for those who cannot accomplish even those incremental updates.<\/p>\n<p>Machines running Confluence are endpoints, just like any other server. And just like any other server, they need a good <a href=\"https:\/\/me-en.kaspersky.com\/small-to-medium-business-security?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">security solution<\/a> to make running arbitrary code significantly harder.<\/p>\n<p>Also, keep in mind that exploiting the vulnerability remotely would require attackers to get into the company\u2019s network, and experts with <a href=\"https:\/\/me-en.kaspersky.com\/enterprise-security\/managed-detection-and-response?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">Managed Detection and Response<\/a>\u2013class services can detect that kind of suspicious activity. It\u2019s also worth noting that access to Confluence should be restricted \u2014 no one outside the company should have access to internal company services.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\">\n","protected":false},"excerpt":{"rendered":"<p>Malefactors are looking for vulnerable Confluence servers and exploiting CVE-2021-26084, an RCE vulnerability.<\/p>\n","protected":false},"author":2581,"featured_media":18742,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916],"tags":[2489,2490,2261,268],"class_list":{"0":"post-18741","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-atlassian","10":"tag-confluence","11":"tag-rce","12":"tag-vulnerabilities"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/confluence-server-cve-2021-26084\/18741\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/confluence-server-cve-2021-26084\/23254\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/confluence-server-cve-2021-26084\/9395\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/confluence-server-cve-2021-26084\/25306\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/confluence-server-cve-2021-26084\/23376\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/confluence-server-cve-2021-26084\/22750\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/confluence-server-cve-2021-26084\/25919\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/confluence-server-cve-2021-26084\/25450\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/confluence-server-cve-2021-26084\/31423\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/confluence-server-cve-2021-26084\/9999\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/confluence-server-cve-2021-26084\/41635\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/confluence-server-cve-2021-26084\/17563\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/confluence-server-cve-2021-26084\/18058\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/confluence-server-cve-2021-26084\/15209\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/confluence-server-cve-2021-26084\/27273\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/confluence-server-cve-2021-26084\/27490\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/confluence-server-cve-2021-26084\/24300\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/confluence-server-cve-2021-26084\/29640\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/confluence-server-cve-2021-26084\/29433\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/vulnerabilities\/","name":"vulnerabilities"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18741","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2581"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=18741"}],"version-history":[{"count":0,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18741\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/18742"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=18741"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=18741"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=18741"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}