DIVD-2021-00023 - Atlassian Confluence OGNL injection (RCE)

Our reference DIVD-2021-00023
Case lead Victor Gevers
Author Pepijn van der Stap
Researcher(s)
  • Pepijn van der Stap
CVE(s)
Product Atlassian Confluence
Versions n/a
Recommendation If you received a notification of a vulnerability, patch your system with the information provided in this notification.
Patch status Available
Status Closed
Last modified 02 Nov 2022 21:12 CET

Summary

On August 25, 2021, Atlassian published information about a critical remote code execution vulnerability (CVE-2021-26084) affecting Atlassian Confluence Server and Confluence Data Center. A public exploit code was released on August 31, 2021. In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

What you can do

If you receive a notification, make sure the vulnerability described in that notification is patched. The notification will be sent along with a location and description of the vulnerability. If you have any questions regarding the mitigation of these vulnerabilities, feel free to reply to the email and we’ll gladly help.

What we are doing

DIVD is currently searching for vulnerable instances of Confluence. Any party vulnerable to this OGNL injection will be informed. Instead of running code on your system(s) we use the OGNL language to multiply two digits. We then check the response for a valid answer.

Timeline

Date Description
01 Sep 2021 Atlassian publishes advisory for CVE-2021-26084.
22 Sep 2021 DIVD opens case DIVD-2021-00023
20 Oct 2021 DIVD starts OSINT research.
29 Dec 2021 Case closed because of low number of vulnerable systems
20 Feb 2022 Case reopened because significant systems are still affected.
06 Mar 2022 Rescanning
07 Mar 2022 First batch of notifications sent out
08 Mar 2022 First version of this case file online
10 Oct 2022 Case closed
gantt title DIVD-2021-00023 - Atlassian Confluence OGNL injection (RCE) dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00023 - Atlassian Confluence OGNL injection (RCE) (383 days) :2021-09-22, 2022-10-10 section Events Atlassian publishes advisory for CVE-2021-26084. : milestone, 2021-09-01, 0d DIVD opens case DIVD-2021-00023 : milestone, 2021-09-22, 0d DIVD starts OSINT research. : milestone, 2021-10-20, 0d Case closed because of low number of vulnerable systems : milestone, 2021-12-29, 0d Case reopened because significant systems are still affected. : milestone, 2022-02-20, 0d Rescanning : milestone, 2022-03-06, 0d First batch of notifications sent out : milestone, 2022-03-07, 0d First version of this case file online : milestone, 2022-03-08, 0d Case closed : milestone, 2022-10-10, 0d

More information