DIVD-2021-00023 - Atlassian Confluence OGNL injection (RCE)

Summary

On August 25, 2021, Atlassian published information about a critical remote code execution vulnerability (CVE-2021-26084) affecting Atlassian Confluence Server and Confluence Data Center. A public exploit code was released on August 31, 2021. In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

What you can do

If you receive a notification, make sure the vulnerability described in that notification is patched. The notification will be sent along with a location and description of the vulnerability. If you have any questions regarding the mitigation of these vulnerabilities, feel free to reply to the email and we’ll gladly help.

What we are doing

DIVD is currently searching for vulnerable instances of Confluence. Any party vulnerable to this OGNL injection will be informed. Instead of running code on your system(s) we use the OGNL language to multiply two digits. We then check the response for a valid answer.

Timeline

More information

• Deweaponized check for CVE-2021-26084 Remote Code Execution on Confluence
• Atlassian advisory
• Articles on The Record about actualy abuse of this vulnerability
• Atlassian trouble ticket