Atlassian Confluence: Critical vulnerability being exploited

Atlassian Confluence, a web-based documentation service where teams can create and collaborate on projects and is used by a wide variety of companies, is currently facing ongoing exploitation by threat after Atlassian publicly disclosed an authentication vulnerability for its on-premise Confluence platform called CVE-2021-26084, a vulnerability with a high Common Vulnerability Scoring System (CVSS) rating of 9.8 out of 10. 

While CVE-2021-26084 had first been discovered on 27th July 2021 by Benny Jacob (SnowyOwl), a participant in the Atlassian public bug bounty program, Atlassian held off on publishing details on the exploitation mechanism until they’d already released a patch on the 25th August due to the severity of the vulnerability.  

After releasing the patch, they issued a public security advisory on the same day. 

Just days before being made public, approximately 14,637 were exposed and vulnerable to the exploit according to Censys, a search engine that finds internet devices. After the patch was released, threat actors quickly caught on and were soon exploiting the vulnerability against unpatched, affected systems. 

Bad Packets, a threat intelligence firm, were one of the first to detect “mass scanning and exploit activity” against Confluence, attributing hosts to be coming in from China, Hong Kong, Russia, Nepal, the United States, Romania and Brazil. “This vulnerability is being actively exploited in the wild. Affected servers should be patched immediately,” Atlassian urged customers in their updated public advisory. 

The Sydney-based, Australian company’s customers include major entities like NASA, Audi, LinkedIn, Docker, Hubspot, the New York Times, GoPro, Morningstar, and Twilio to name a few. 

On Friday, Cybersecurity researchers at the US Cyber Command (USCYBERCOM) urged Atlassian Customers who still hadn’t patched their on-premises Confluence Server and Data Centre products to do so immediately. USCYBERCOM informed Atlassian users of the large-scale exploitation on Twitter, telling them to “patch immediately if [they] haven’t already—this cannot wait until after the weekend.”  

What is the Atlassian Confluence flaw? 

CVE-2021-26084 enables threat actors to remotely execute malicious, arbitrary code on the collaboration platform. Leveraging this vulnerability, malicious actors can gain unauthenticated remote access at escalated admin level and inject malicious code to deploy malware, steal data, and escalate privileges. Notably, the deployment of cryptocurrency mining malware in this cyber attack is quite common. 

This is an Object-Graph Navigation Language (OGNL) injection vulnerability, OGNL being an open-source Expression Language for Java. The vulnerability affects Confluence Server and Data Centre product versions that: 

• Precede version 6.13.23. 
• Are from version 6.14.0 to before 7.4.11. 
• Are from version 7.5.0 to before 7.11.6,  
• Are from version 7.12.0 to before 7.12.5. 

Confluence Customers who have upgraded to versions 6.13.23, 7.11.6, 7.12.5, 7.13.0, or 7.4.11 are not affected by this vulnerability. CVE-2021-26084 also does not affect Confluence Cloud. 

What should vulnerable customers do? 

Atlassian has provided a list of instructions for customers on their webpage concerning the CVE-2021-26084 vulnerability, telling customers to patch immediately and strongly recommending customers upgrade  to the Long Term Support release version 7.13.0 of Confluence or higher in order to escape affected versions. 

They specifically advise customers with: 

• 6.13.x versions that can’t be upgraded to 7.13.0 instead to upgrade to version 6.13.23. 
• 7.4.x versions that can’t upgrade to 7.13.0 instead to upgrade to version 7.4.11. 
• 7.11.x versions that can’t upgrade to 7.13.0 instead to upgrade to version 7.11.6. 
• 7.12.x versions that can’t upgrade to 7.13.0 instead to upgrade to version 7.12.5. 

Atlassian has also created a script that attempts to mitigate the issue for customers who are vulnerable and unable to upgrade: 

• Microsoft Windows Mitigation Script 
• Linux Mitigation Script 

Although, these mitigation scripts are considered only a “temporary workaround” by Atlassian. 

Who’s been affected? 

While it was estimated by Censys on the 25th August that there were approximately 14,637 exposed and vulnerable Confluence servers before the details of the vulnerability became public, as of the 5th September that number has dropped to 8,597 with companies continuing to apply Atlassian’s patches and take hit servers offline. 

One of the victims hit by this exploit is Jenkin, an open-source automation server software. The developers of Jenkins disclosed they had suffered a cybersecurity breach last week due to threat actors leveraging the vulnerability to gain access to one of their servers and install Monero cryptocurrency mining malware. 

However, this hacked Confluence server had already been turned into a read-only and had been depreciating since October 2019 as the developers were migrating the project’s wiki and team collaboration system onto GitHub. Jenkin developers have now permanently taken the affected server offline, reset developer account passwords and rotated privileged credentials. 

“At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected,” the company said in a statement released on Saturday.