Atlassian Confluence Server and Data Center Vulnerability

By Frank Wood on September 22, 2021

(By: Frank Wood on September 10, 2021)

Executive Summary

Atlassian Confluence is a service that allows users within an organization to share, collaborate, and organize projects with each other. The company has three various hosting options for its services which are Confluence Server, Confluence Data Center, and Confluence Cloud. With an estimated 180,000 customers, some of the more notable customers are Boeing, Northrop Grumman, Raytheon, NASA, Charles Schwabe, Delta, and Visa.

On August 25, 2021, Atlassian published a security advisory regarding its Confluence Server and Confluence Data Center stating that it was subject to Object-Graph Navigation Language (OGNL) injection. [1]  In the advisory, Atlassian denotes that 31 versions of their affected products were vulnerable and urged system administrators to update to the fixed versions. One week after the advisory was issued, on September 1, 2021, Troy Mursch from Bad Packets detected scanning traffic for vulnerable Confluence Servers in an attempt to exploit them. [5] Once news broke about active attempts to exploit the vulnerabilities, U.S. CYBERCOM issued a warning via Twitter that “Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already — this cannot wait until after the weekend.” [3]

Around the same time, the Jenkins Project confirmed that their Confluence instance was indeed attacked and exploited. Once the threat was detected, Jenkin Project system administrators took the server offline to prevent any further exploitation and to investigate the impact. [4]

Vulnerability

Confluence Server and Data Center – CVE-2021-26084 – Confluence Server Webwork OGNL injection. [1] This vulnerability allows an unauthenticated remote attacker to exploit Confluence Servers and Data Centers by sending a crafted Object-Graph Navigation Language  scripts. This would allow the attackers to execute arbitrary code. [5]

Impact

Confluence Server Webwork Object-Graph Navigation Language injection could have a far reach if patches are not put in place. In a rapid response effort to determine the impact, Censys, a search engine that searches for devices on the internet, found that there are over 12,000 affected servers on September 1st. However, they have seen a decrease in numbers, but as of September 5th, 8,597 servers were still unpatched. [5]

According to Troy Mursch with Bad Packets, attackers try to utilize the servers, whether it is Windows or Linux, to install XMRig cryptocurrency miners. This was backed up by Kevin Beaumont, a cybersecurity researcher who utilized Confluence server honeypots to attract attackers. Accompanied by the XMRig miners is the Kinsing malware. [5] What this malware does is replicates itself across the infected network to aide in growing the cryptocurrency botnet.

Mitigation

The mitigation for this vulnerability is to update to version 7.13.0 or higher. If the system is unable to update to 7.13.0, then the remediation is as follows:

  • Any version below 6.13.xx. Update to version 6.13.23.
  • Any version from version 6.14.0 before 7.4.11. Update to version 7.4.11.
  • Any version from version 7.5.0 before 7.11.6. Update to version 7.11.6.
  • Any version from version 7.12.0 before 7.12.5. Update to version 7.12.5.

References

[1] Atlassian. August 25, 2021. “Confluence Security Advisory – 2021-08-25.” confluence.atlassian.com. Accessed September 6, 2021. https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html.

[2] Cybersecurity & Infrastructure Security Agency. September 03, 2021. “Atlassian Releases Security Updates for Confluence Server and Data Center.” us-cert.cisa.gov. Accessed September 6, 2021. https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data.

[3] Greig, Jonathan. September 03, 2021. “US Cybercom says mass exploitation of Atlassian Confluence vulnerability ‘ongoing and expected to accelerate’.” zdnet.com. Accessed September 6, 2021. https://www.zdnet.com/article/us-cybercom-says-mass-exploitation-of-atlassian-confluence-vulnerability-ongoing-and-expected-to-accelerate/.

[4] Greig, Jonathan. September 03, 2021. “Jenkins project attacked through Atlassian Confluence vulnerability.” zdnet.com. Accessed September 7, 2021. https://www.zdnet.com/article/jenkins-project-attacked-through-atlassian-confluence-vulnerability/.

[5] Narang, Satnam. September 03, 2021. “CVE-2021-26084: Atlassian Confluence OGNL Injection Vulnerability Exploited in the Wild.” tenable.com. Accessed September 7, 2021. https://www.tenable.com/blog/cve-2021-26084-atlassian-confluence-ognl-injection-vulnerability-exploited-in-the-wild.