{"id":7510,"date":"2021-09-11T19:51:11","date_gmt":"2021-09-12T02:51:11","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7510"},"modified":"2023-04-05T12:38:09","modified_gmt":"2023-04-05T19:38:09","slug":"cve-2021-26084-patch-the-confluence-servers-now","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/cve-2021-26084-patch-the-confluence-servers-now\/","title":{"rendered":"CVE-2021-26084: Patch the Confluence Servers Now!"},"content":{"rendered":"
\nThe United States Cyber Command and Cybersecurity Infrastructure Security Agency (CISA) rang the warning bells for companies to patch a critical vulnerability (CVE-2021-26084) in the Atlassian Confluence Server and Data Center. Here is our analysis about this vulnerability.<\/p>\n<\/blockquote>\n
{Updated on October 08, 2021}:<\/strong> Atom Silo, a new ransomware group, is found to be actively exploiting CVE-2021-26084 in the Atlassian Confluence Server and Data Center. According to Sophos researchers, Atom Silo is identical to LockFile, where the malicious dynamic-link libraries are side-loaded in order to disrupt endpoint security software. This instance serves as a perfect warning of the dangers when publicly known security flaws in internet-facing software are left unpatched, even for a short period of time.<\/p>\n
{Updated on October 01, 2021}:<\/strong> Researchers at Trend Micro<\/a> have discovered that Cryptominer z0Miner has been actively exploiting CVE-2021-26084. This leads Atlassian installations on Windows and Linux to create webshells that allow execution of cryptominers on vulnerable systems. In addition, Palo Alto Networks’<\/a> have also recognized multiple attacks that managed to upload customers’ password files that downloaded malware-laced scripts and dropped a miner. We urge users to update this critical vulnerability with the latest patches, before you get hit by threats like z0Miner.<\/p>\n
On\u00a0 August 25, 2021, Atlassian published<\/a> a security advisory for a remote code execution (RCE) vulnerability in its Confluence Server, a popular team collaboration tool used by some of the world\u2019s largest companies. Being a critical vulnerability, CVE-2021-26084 can have a powerful impact, and expecting more attacks in the following days, advisories have been issued by CISA<\/a> and the United States Cyber Command<\/a> (USCC).<\/p>\n
<\/p>\n
This critical-rated Object-Graph Navigation Language (OGNL) injection vulnerability can allow an authenticated user, and in some instances, unauthenticated users, to execute arbitrary code on a Confluence Server Webwork or Data Center instance.<\/p>\n
Widespread Availability of PoCs Worsening the Situation<\/strong><\/h2>\n
With the extensive availability of RCE exploits<\/a>, hackers are aggressively looking for and exploiting vulnerable Confluence servers to install cryptominers, further worsening the situation.<\/p>\n
\n\u201cAccording to a pentester perspective, this exploit is simple to implement and will execute a command on the targeted server, if successful. In the wild, attempts to hack servers running vulnerable software versions were also discovered.\u201d<\/p>\n<\/blockquote>\n
<\/p>\n
<\/p>\n
On September 4, 2021, Jenkins, a global open-source automation system, revealed<\/a> that they had suffered a security breach in their internal servers. Soon after discovering the successful server hack, the Jenkins team was prompted to shutdown the Confluence server, which had remained unused since 2019. The developers of Jenkins have discovered that the Confluence (CVE-2021-26084) exploit was used to install a Monero miner in the container running the service.<\/p>\n
<\/p>\n
With the PoC going public and threat actors jumping at the opportunity to actively exploit the vulnerability, Atlassian issued an advisory<\/a> to its customers to upgrade to the latest long-term support release or run their script<\/a> on Windows and Linux Operating Systems to mitigate the issue.<\/p>\n
Reasons for the High-Impact\u00a0<\/strong><\/h2>\n
\n
- \n
CVE-2021-26084 is a nasty vulnerability that could allow an unauthenticated attacker to execute commands on a susceptible server remotely.<\/p>\n<\/li>\n
- \n
The flaw carries a CVSS v3 score of 9.8 (critical) out of 10.<\/p>\n<\/li>\n
- \n
According to National Vulnerability Database (NVD), the vulnerability is classified under weakness CWE-74, which leads to the Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’).<\/p>\n<\/li>\n
- \n
Atlassian asserts that Confluence is utilized by over 60,000 clients, including Audi, Hubspot, NASA, LinkedIn, Twilio, and Docker, on its website.<\/p>\n<\/li>\n<\/ul>\n
Vulnerable Products<\/strong><\/h2>\n
Atlassian Confluence is a web-based team collaboration tool for managing workspaces and projects operated locally on a company’s server. Atlassian Data Center is a more feature-rich version of Confluence that includes team calendars, analytics, complex rights management, content delivery network integration, and more.<\/p>\n
The vulnerability is seen in multiple software versions of the Confluence Server and Data Center. Here is a list of affected versions:<\/p>\n
\n
- \n
version < 6.13.23<\/p>\n<\/li>\n
- \n
6.14.0 \u2264 version < 7.4.11<\/p>\n<\/li>\n
- \n
7.5.0 \u2264 version < 7.11.5<\/p>\n<\/li>\n
- \n
7.12.0 \u2264 version < 7.12.5<\/p>\n<\/li>\n<\/ul>\n
After addressing the issue, Atlassian published<\/a> updated versions of each of the impacted products, as well as solutions.<\/p>\n
Global Exposure<\/strong><\/h2>\n
According to the Shodan search engine, there are 9,203 potential products that are accessible to the Internet, with around 21% of occurrences in Germany, followed closely by the United States and China with 20% and 18% instances.<\/p>\n
<\/p>\n
Fortunately, popular scanners such as Nessus, Qualys, and Nexpose were able to detect this issue and are tagged with the following plugin ID.<\/p>\n