Active exploitation has been spotted for Confluence Enterprise Server and Data Center software versions which are routinely self-hosted.
Threat actors are exploiting CVE-2021-26084, an OGNL injection vulnerability, and proof-of-concept has been released.
Atlassian released patches on August 25 and advises all customers running affected software to upgrade to version 7.13.0 (LTS). If you are unable to upgrade then there is a temporary workaround.
A vulnerability, with a severity score of 9.8, in Confluence Enterprise Server and Data Center software is currently being actively exploited and revealed by a Vietnamese security researcher Tuan Anh Nguyen when he Tweeted on August 31 that “mass scans have already started”, with threat actors and bug bounty hunters looking for systems vulnerable to CVE-2021-26084. Soon after the exploitation was spotted, two security researchers, Rahul Maini and Harsh Jaiswal published an in-depth explanation of the how-to exploit the vulnerability with several proof-of-concept payloads on GitHub.
Atlassian released patches on August 25 and said “An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.”
The vulnerability impacts the following Confluence Enterprise Server and Data Center versions:
Before version 6.13.23.
Versions 6.14.0 to 7.4.11.
Version 7.5.0 to 7.11.6.
Version 7.12.0 to 7.12.5.
Deepwatch Threat Intelligence Outlook
Deepwatch Threat Intelligence Team has high confidence that increased scanning and exploitation will occur over the next several months. It is highly likely that Ransomware and crypto-mining inspired Threat Actors will also adopt scanning for this vulnerability in their playbooks as another technique to gain the initial access into victim organizations.
Deepwatch highly encourages customers to upgrade to version 7.13.0 (LTS) or higher. If you are unable to upgrade then it is recommended to run one of the scripts provided by Atlassian as a temporary workaround:
Confluence Server or Data Center running on Linux.
Confluence Server or Data Center running on Windows.
Learn more about Deepwatch Managed Detection and Response here.