UPDATED 22:59 EST / SEPTEMBER 05 2021

SECURITY

US Cyber Command warns of active exploitation of Atlassian Confluence vulnerability

The U.S. Cyber Command issued a warning Friday that mass exploitation of Atlassian Corp. PLC’s Confluence software is taking place and that users should patch their installations immediately.

The vulnerability, formally named CVE-2021-26084, was revealed by Atlassian on Aug. 25 and was described as allowing an authenticated user to execute arbitrary code on a Confluence Server or data center instance. Confluence Cloud customers are not affected.

The issue affects all versions of Confluence starting at 4.xx through most versions of 6.x.x and 7.x.x. Customers that have upgraded to versions 6.13.23, 7.11.6, 7.12.5, 7.13.0, or 7.4.11 are not affected.

The Object-Graph Navigation Language injection vulnerability was discovered by a security researcher known as SnowyOwn (Benny Jacob) via the Atlassian bug bounty program. OGNL is an open-source Expression Language for Java that allows users to use simpler expressions than those supported by Java natively. It’s not known if the vulnerability is related to an issue with OGNL or a problem in the software introduced by Atlassian.

The vulnerability has been given a Common Vulnerability Scoring System score of 9.8, meaning it’s critical. According to the National Vulnerability Database, the vulnerable endpoints can be accessed by a nonadministrator user or unauthenticated user if “Allow people to sign up to create their account” is enabled.

How widespread the attacks targeting Confluence are is open to some speculation, but notably, Bad Packets posted Sept. 2 that it detected mass scanning and exploiting activity. The exploit activity was traced to hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the U.S.

Confluence was launched by Atlassian in 2004, offering web-based corporate wiki and collaboration tools for enterprises. Atlassian claims that the software has more than 60,000 customers. Notable users included HubSpot Inc., Audi AG, Twilio Inc., the National Aeronautics and Space Administration, LinkedIn, Docker Inc., Morningstar Inc., The New York Times Co. and GoPro Inc.

This isn’t the first time Confluence has had serious vulnerability issues. An urgent patch followed the discovery of a vulnerability that allowed anyone to view internal company blogs and pages was released in 2017. In 2019, a critical vulnerability allowed an attacker to gain access and steal data.

Photo: Atlassian

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU