US Cybercom has sent a public notice warning IT teams that CVE-2021-26084 – linked to Atlassian Confluence – is actively being exploited.
“Mass mining of Atlassian Confluence CVE-2021-26084 is underway and is expected to accelerate. Please correct immediately if you haven’t already – this can’t wait past the weekend,” he said. sent out US Cybercom in a tweet Friday before Labor Day holiday weekend.
Atlassian posted a review about the vulnerability on August 25, explaining that the “Critical Severity Security Vulnerability” was found in Confluence Server and Data Center releases prior to 6.13.23, from 6.14.0 prior to 7.4.11 , from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
“An OGNL injection vulnerability exists that would allow an authenticated user, and in some cases an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. All versions of Confluence Server and Data Center earlier than the patched versions listed above are affected by this vulnerability, ”the company said in its advisory.
They urged IT teams to upgrade to the latest version of long-term support and said if that wasn’t possible, there was a temporary workaround.
The vulnerability only affects on-premises servers, not those hosted in the cloud.
Many researchers have illustrated how vulnerability can be exploited and published proof of concept showing how it works.
Bad packages said they “detected mass analysis and exploitation activity originating from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the United States, targeting Atlassian Confluence servers vulnerable to remote code execution “.
Censys explained in a blog post that over the past few days, their team has “observed a small change in the number of vulnerable servers still operating on the public Internet.”
“On August 31, Censys identified 13,596 vulnerable Confluence instances, while on September 2, this number increased to 11,689 vulnerable instances,” Censys said.
The company explained that Confluence is a “widely deployed Wiki service, used primarily in collaborative enterprise environments” and that over the past few years it “has become the de facto standard for enterprise documentation over the years. the last decade “.
“While the majority of users run the managed service, many organizations choose to deploy the software on-premises. On August 25, a vulnerability in Atlassian’s Confluence software was disclosed. A security researcher named SnowyOwl (Benny Jacob) discovered that an unauthenticated user could execute arbitrary code by targeting HTML fields interpreted and rendered by the object-graph navigation language (OGNL), ”the blog said.
“Yes, this is the same class of vulnerability used in the Equifax breach in 2017. Just days before this vulnerability was made public, our historical data showed that the internet had more than 14,637 Confluence servers exposed and vulnerable. Compare that to the current situation. , on September 1, where Censys identified 14,701 services that self-identified as a Confluence server, and of these, 13,596 ports and 12,876 individual IPv4 hosts are running a workable version of the software. “
“There is no way to take this lightly: it is bad. Initially Atlassian said it was only exploitable if a user had a valid account on the system; it turned out to be incorrect. and the advisory has been updated today to reflect the new information It is only a matter of time before we start to see active exploitation in the wild as there have already been functional exploits found scattered, ”added Censys.
Vulcan Cyber CEO Yaniv Bar-Dayan told ZDNet that security teams must fight fire with fire as they work to prioritize and fix this Confluence flaw.
Attackers should not be the first to automate scans for this exploit and hopefully IT security teams are ahead of their opponents in proactively identifying the presence of this vulnerability and taking action to mitigate it. , said Bar-Dayan.
“Given the nature of Atlassian Confluence, there is a very real chance that components of the platform will be exposed to the Internet,” added Bar-Dayan.
“This means that attackers will not need internal network access to exploit the RCE vulnerability. A fix is available and administrators need to deploy it more quickly while considering other mitigation measures, such as ensuring that no public access is available to the Confluence server and services. . “
BipComputer confirmed Thursday that some malicious actors install cryptominers on Windows and Linux Confluence servers using the vulnerability.