The US Cyber Command has issued an alert urging US organizations to patch a critical vulnerability (CVE-2021-26084) in the Confluence Atlassian that is being massively exploited. The security organization tweeted the alert urging organizations to immediately apply the latest updates issued by Confluence. The Cyber National Mission Force (CNMF) has noticed ongoing mass exploitation of the bug and is expecting the malicious activity to only accelerate.
What Confluence Server and Data Center Versions are affected by this vulnerability?
The vulnerability affects Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
What versions are not affected by this vulnerability?
Customers who have upgraded to versions 6.13.23, 7.11.6, 7.12.5, 7.13.0, or 7.4.11 are not affected.
Are Confluence Cloud customers affected by this vulnerability?
No, Confluence Cloud customers are not affected.
How can a malicious actor exploit this vulnerability?
The OGNL injection vulnerability allows an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.
How can the vulnerability be mitigated?
The advisory released by Atlassian lists down the following mitigation steps
- If you are running an affected version upgrade to version 7.13.0 (LTS) or higher.
- If you are running 6.13.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 6.13.23.
- If you are running 7.4.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.4.11.
- If you are running 7.11.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.11.6.
- If you are running 7.12.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.12.5.
Is there a workaround available for those who are unable to upgrade the Confluence version?
Yes, Atlassian has disclosed a temporary
workaround for those who are unable to upgrade to secure versions. The bug can be mitigated by running a script for the Operating System that Confluence is hosted on. Atlassian has shared the script in its security advisory