{"id":7510,"date":"2021-09-11T19:51:11","date_gmt":"2021-09-12T02:51:11","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7510"},"modified":"2023-04-05T12:38:09","modified_gmt":"2023-04-05T19:38:09","slug":"cve-2021-26084-patch-the-confluence-servers-now","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/cve-2021-26084-patch-the-confluence-servers-now\/","title":{"rendered":"CVE-2021-26084: Patch the Confluence Servers Now!"},"content":{"rendered":"
\n

The United States Cyber Command and Cybersecurity Infrastructure Security Agency (CISA) rang the warning bells for companies to patch a critical vulnerability (CVE-2021-26084) in the Atlassian Confluence Server and Data Center. Here is our analysis about this vulnerability.<\/p>\n<\/blockquote>\n

{Updated on October 08, 2021}:<\/strong> Atom Silo, a new ransomware group, is found to be actively exploiting CVE-2021-26084 in the Atlassian Confluence Server and Data Center. According to Sophos researchers, Atom Silo is identical to LockFile, where the malicious dynamic-link libraries are side-loaded in order to disrupt endpoint security software. This instance serves as a perfect warning of the dangers when publicly known security flaws in internet-facing software are left unpatched, even for a short period of time.<\/p>\n

{Updated on October 01, 2021}:<\/strong> Researchers at Trend Micro<\/a> have discovered that Cryptominer z0Miner has been actively exploiting CVE-2021-26084. This leads Atlassian installations on Windows and Linux to create webshells that allow execution of cryptominers on vulnerable systems. In addition, Palo Alto Networks’<\/a> have also recognized multiple attacks that managed to upload customers’ password files that downloaded malware-laced scripts and dropped a miner. We urge users to update this critical vulnerability with the latest patches, before you get hit by threats like z0Miner.<\/p>\n

On\u00a0 August 25, 2021, Atlassian published<\/a> a security advisory for a remote code execution (RCE) vulnerability in its Confluence Server, a popular team collaboration tool used by some of the world\u2019s largest companies. Being a critical vulnerability, CVE-2021-26084 can have a powerful impact, and expecting more attacks in the following days, advisories have been issued by CISA<\/a> and the United States Cyber Command<\/a> (USCC).<\/p>\n

 <\/p>\n

This critical-rated Object-Graph Navigation Language (OGNL) injection vulnerability can allow an authenticated user, and in some instances, unauthenticated users, to execute arbitrary code on a Confluence Server Webwork or Data Center instance.<\/p>\n

Widespread Availability of PoCs Worsening the Situation<\/strong><\/h2>\n

With the extensive availability of RCE exploits<\/a>, hackers are aggressively looking for and exploiting vulnerable Confluence servers to install cryptominers, further worsening the situation.<\/p>\n

\n

\u201cAccording to a pentester perspective, this exploit is simple to implement and will execute a command on the targeted server, if successful. In the wild, attempts to hack servers running vulnerable software versions were also discovered.\u201d<\/p>\n<\/blockquote>\n

<\/p>\n

 <\/p>\n

On September 4, 2021, Jenkins, a global open-source automation system, revealed<\/a> that they had suffered a security breach in their internal servers. Soon after discovering the successful server hack, the Jenkins team was prompted to shutdown the Confluence server, which had remained unused since 2019. The developers of Jenkins have discovered that the Confluence (CVE-2021-26084) exploit was used to install a Monero miner in the container running the service.<\/p>\n

 <\/p>\n

With the PoC going public and threat actors jumping at the opportunity to actively exploit the vulnerability, Atlassian issued an advisory<\/a> to its customers to upgrade to the latest long-term support release or run their script<\/a> on Windows and Linux Operating Systems to mitigate the issue.<\/p>\n

Reasons for the High-Impact\u00a0<\/strong><\/h2>\n