• Severity 1 - Critical
    • 9.8
    • Critical
    • CVE-2021-26084

      This vulnerability is being actively exploited in the wild. Affected servers should be patched immediately.

      An OGNL injection vulnerability exists that allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.

      The CVE ID is CVE-2021-26084.

      Acknowledgements

      The issue was discovered by Benny Jacob (SnowyOwl) via the Atlassian public bug bounty program.

      The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

      Affected versions:

      • version < 6.13.23
      • 6.14.0 ≤ version < 7.4.11
      • 7.5.0 ≤ version < 7.11.6
      • 7.12.0 ≤ version < 7.12.5

      Fixed versions:

      • 6.13.23
      • 7.4.11
      • 7.11.6
      • 7.12.5
      • 7.13.0  

       

            [CONFSERVER-67940] Confluence Server Webwork OGNL injection - CVE-2021-26084

            Yes, sadly.

            It's just strange, I've upgraded Confluence less than 1 month ago and the version was affected... But Cloud version didn't.

            Gustavo Efrain Bongiovanni added a comment - Yes, sadly. It's just strange, I've upgraded Confluence less than 1 month ago and the version was affected... But Cloud version didn't.

            Danijel Pavlovic added a comment - - edited

            Danijel Pavlovic added a comment - - edited Could have been hit by Confluence Security Advisory 2022-06-02

            I had version 7.13.5 and i've been affected: https://therecord.media/confluence-and-gitlab-servers-targeted-by-new-ransomware-strain/

            My files are now encrypted. How it may happened?

            Gustavo Efrain Bongiovanni added a comment - I had version 7.13.5 and i've been affected: https://therecord.media/confluence-and-gitlab-servers-targeted-by-new-ransomware-strain/ My files are now encrypted. How it may happened?

            Warning from my side:

            We just had a case where one Confluence (Server) Application (Running on 7.4.11 <-- should be fixed Version) got affected by this problem.

            When the advisory came out, we upgraded the application to the fixed version 7.4.11. Worked for months.
            Today we found the exploit on the server again.
            In the meantime I did the mitigation step (closed the vulnerability with the script), deleted the crontab entry for the Confluence user and deleted the malicious files under /tmp/.
            After that I rebooted the server and it seems to run normally again.

            Paul Agirbas added a comment - Warning from my side: We just had a case where one Confluence (Server) Application (Running on 7.4.11 <-- should be fixed Version) got affected by this problem. When the advisory came out, we upgraded the application to the fixed version 7.4.11. Worked for months. Today we found the exploit on the server again. In the meantime I did the mitigation step (closed the vulnerability with the script), deleted the crontab entry for the Confluence user and deleted the malicious files under /tmp/. After that I rebooted the server and it seems to run normally again.

            We got hit by this or something else despite being on 7.13.   Is there a cleanup guide available? 

            brad-anderson added a comment - We got hit by this or something else despite being on 7.13.   Is there a cleanup guide available? 

            Hi

            I posted this question Is the HOTFIX workaround for CVE-2021-26084 still viable? on the community channel.  My basis is that when the hotfix was released, researchers reversed engineered it to find and test the vulnerability, so understandably, persistent threat actors may try to find a way to create a workaround for the workaround.  

            Has there been any hint of this, that someone has found a way around this hotfix?

            James Waithe added a comment - Hi I posted this question  Is the HOTFIX workaround for CVE-2021-26084 still viable?  on the community channel.  My basis is that when the hotfix was released, researchers reversed engineered it to find and test the vulnerability, so understandably, persistent threat actors may try to find a way to create a workaround for the workaround.   Has there been any hint of this, that someone has found a way around this hotfix?

            Just got hit by this. Atlassian seems to indicate that upgrading alone is enough. Yet I found the crontab hack mentioned above. Would the Confluence upgrade process have deleted that? Do I need to worry about other malicious files/scripts/binaries this thing has installed?

            If you were hacked before the fix was applied then the cleanup of this is yours. There are many ways how this exploit is used, installing a crontab is just one of them. Atlassian can only fix the security hole.

            Uwe Schindler (GFBio e.V.) added a comment - Just got hit by this. Atlassian seems to indicate that upgrading alone is enough. Yet I found the crontab hack mentioned above. Would the Confluence upgrade process have deleted that? Do I need to worry about other malicious files/scripts/binaries this thing has installed? If you were hacked before the fix was applied then the cleanup of this is yours. There are many ways how this exploit is used, installing a crontab is just one of them. Atlassian can only fix the security hole.

            Bruce Reed added a comment -

            Just got hit by this. Atlassian seems to indicate that upgrading alone is enough. Yet I found the crontab hack mentioned above. Would the Confluence upgrade process have deleted that? Do I need to worry about other malicious files/scripts/binaries this thing has installed?

            Bruce Reed added a comment - Just got hit by this. Atlassian seems to indicate that upgrading alone is enough. Yet I found the crontab hack mentioned above. Would the Confluence upgrade process have deleted that? Do I need to worry about other malicious files/scripts/binaries this thing has installed?

            Sueyon KO added a comment - - edited

            I am using Atlassian Confluence 3.5.2, the Enterprise Wiki.

            Will this notice be included in the Affected versions as well as version 3.5.2?
            Or is version 3.5.2 excluded from Affected versions?

            I wonder if I should patch version 3.5.2  or not.

             

            Sueyon KO added a comment - - edited I am using Atlassian Confluence 3.5.2, the Enterprise Wiki. Will this notice be included in the Affected versions as well as version 3.5.2? Or is version 3.5.2 excluded from Affected versions? I wonder if I should patch version 3.5.2  or not.  

            If you look at what is possible with this exploit - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md then you will see that reading your database connection details https://confluence.atlassian.com/confkb/how-to-find-confluence-s-database-connection-parameters-779172320.html#:~:text=Solution,xml%20file is an absolutely trivial and a straightforward thing.

            The question "if they have done anything like that" remains open. 

            Alex Medved {ConfiForms} added a comment - - edited If you look at what is possible with this exploit - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md  then you will see that reading your database connection details  https://confluence.atlassian.com/confkb/how-to-find-confluence-s-database-connection-parameters-779172320.html#:~:text=Solution,xml%20file  is an absolutely trivial and a straightforward thing. The question "if they have done anything like that" remains open. 

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              167 Start watching this issue

                Created:
                Updated:
                Resolved: