{"id":42702,"date":"2021-09-03T21:26:07","date_gmt":"2021-09-03T21:26:07","guid":{"rendered":"http:\/\/62eac289-3b9b-42ac-8259-4f3623709418"},"modified":"2021-09-03T21:26:07","modified_gmt":"2021-09-03T21:26:07","slug":"us-cybercom-says-mass-exploitation-of-atlassian-confluence-vulnerability-ongoing-and-expected-to-accelerate","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/us-cybercom-says-mass-exploitation-of-atlassian-confluence-vulnerability-ongoing-and-expected-to-accelerate\/","title":{"rendered":"US Cybercom says mass exploitation of Atlassian Confluence vulnerability ‘ongoing and expected to accelerate’"},"content":{"rendered":"

US Cybercom has sent out a public notice<\/a> warning IT teams that CVE-2021-26084 — related to Atlassian Confluence — is actively being exploited.<\/p>\n

“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already\u2014 this cannot wait until after the weekend,” US Cybercom sent out in a tweet on Friday ahead of the Labor Day weekend holiday. <\/p>\n

A number of IT leaders took to social media<\/a> to confirm that it was indeed being exploited<\/a>.<\/p>\n

Atlassian released an advisory<\/a> about the vulnerability on August 25, explaining that the “critical severity security vulnerability” was found in Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.<\/p>\n

“An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability,” the company said in its advisory. <\/p>\n

They urged IT teams to upgrade to the latest Long Term Support release and said if that is not possible, there is a temporary workaround. <\/p>\n

“You can mitigate the issue by running<\/a> the script below<\/a> for the Operating System that Confluence is hosted on,” the notice said. <\/p>\n

<\/section>\n

The vulnerability only affects on-premise servers, not those hosted in the cloud.<\/p>\n

Multiple researchers have illustrated how the vulnerability can be exploited and released proof-of-concepts<\/a> showing how it works. <\/p>\n

Bad Packets said<\/a> they “detected mass scanning and exploit activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the US targeting Atlassian Confluence servers vulnerable to remote code execution.”<\/p>\n

Censys explained in a blog post<\/a> that over the last few days, their team has “seen a small shift in the number of vulnerable servers still running on the public internet.” <\/p>\n

“On August 31st, Censys identified 13,596 vulnerable Confluence instances, while on September 02, that number has decreased to 11,689 vulnerable instances,” Censys said. <\/p>\n

The company explained that Confluence is a “widely deployed Wiki service used primarily in collaborative corporate environments” and that in recent years it “has become the defacto standard for enterprise documentation over the last decade.” <\/p>\n

“While the majority of users run the managed service, many companies opt to deploy the software on-prem. On August 25th, a vulnerability in Atlassian’s Confluence software was made public. A security researcher named SnowyOwl (Benny Jacob) found that an unauthenticated user could run arbitrary code by targeting HTML fields interpreted and rendered by the Object-Graph Navigation Language (OGNL),” the blog said. <\/p>\n

“Yes, that is the same class of vulnerability used in the Equifax breach back in 2017<\/a>. Just days before this vulnerability was made public, our historical data showed that the internet had over 14,637 exposed and vulnerable Confluence servers. Compare that to the current day, September 1st, where Censys identified 14,701 services that self-identified as a Confluence server, and of those, 13,596 ports and 12,876 individual IPv4 hosts are running an exploitable version of the software.”<\/p>\n

\"vulnerable-confluence-servers-1.png\"<\/span>