Atlassian released security updates to patch a remote code execution vulnerability (CVE-2021-26084) in Confluence Server and Data Center. More recently, exploits in the wild have been detected since Atlassian patched the vulnerability last week.
According to the Atlassian Critical advisory issued on August 25, a Confluence Server Webwork OGNL injection vulnerability CVE-2021-26084 “could allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.”
All versions of Confluence Server and Data Center prior to patched versions listed below are affected:
- < 6.13.23
- 6.14.0 ≤ version < 7.4.11
- 7.5.0 ≤ version < 7.11.5
- 7.12.0 ≤ version < 7.12.5.
New Confluence versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0 fix this vulnerability. Confluence Cloud customers are not affected. Atlassian also published more details on the issue on CONFSERVER-67940.
Moreover, Bad Packets sent out a tweet warning “mass scanning and exploit activity” regarding the Confluence vulnerability:
The Australian Cyber Security Centre (ACSC) also issued an alert on the issue.
Finally, it is also worth noting threat actors have exploited unpatched Atlassian products in the past, such as an Atlassian remote code execution vulnerability (CVE-2019-11580), one of the top 12 most commonly exploited vulnerabilities in 2020.
Organizations are highly recommended to apply the Atlassian updates as soon as possible.