DIVD-2021-00023 - Atlassian Confluence OGNL injection (RCE)
|Case lead||Victor Gevers|
|Author||Pepijn van der Stap|
|Recommendation||If you received a notification of a vulnerability, patch your system with the information provided in this notification.|
|Last modified||13 Mar 2022 09:23|
On August 25, 2021, Atlassian published information about a critical remote code execution vulnerability (CVE-2021-26084) affecting Atlassian Confluence Server and Confluence Data Center. A public exploit code was released on August 31, 2021. In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
What you can do
If you receive a notification, make sure the vulnerability described in that notification is patched. The notification will be sent along with a location and description of the vulnerability. If you have any questions regarding the mitigation of these vulnerabilities, feel free to reply to the email and we’ll gladly help.
What we are doing
DIVD is currently searching for vulnerable instances of Confluence. Any party vulnerable to this OGNL injection will be informed. Instead of running code on your system(s) we use the OGNL language to multiply two digits. We then check the response for a valid answer.
|01 Sep 2021||Atlassian publishes advisory for CVE-2021-26084.|
|22 Sep 2021||DIVD opens case DIVD-2021-00023|
|20 Oct 2021||DIVD starts OSINT research.|
|29 Dec 2021||Case closed because of low number of vulnerable systems|
|20 Feb 2022||Case reopened because significant systems are still affected.|
|06 Mar 2022||Rescanning|
|07 Mar 2022||First batch of notifications sent out|
|08 Mar 2022||First version of this case file online|
- Deweaponized check for CVE-2021-26084 Remote Code Execution on Confluence
- Atlassian advisory
- Articles on The Record about actualy abuse of this vulnerability
- Atlassian trouble ticket