On August 25, 2021, Atlassian published details on CVE-2021-26084, a critical remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability arises from an OGNL injection flaw and allows authenticated attackers, “and in some instances an unauthenticated user,” to execute arbitrary code on Confluence Server or Data Center instances.
The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if “Allow people to sign up to create their account” is enabled. To check whether this is enabled, go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
Proof-of-concept exploit code has been publicly available since August 31, 2021, and both Rapid7 and community researchers have observed active exploitation as of September 2. Confluence Server and Data Center customers who have not already done so should update to a fixed version immediately, without waiting for their typical patch cycles. For a complete list of fixed versions, see Atlassian’s advisory here.
For full vulnerability analysis, including triggers and check information, see Rapid7’s analysis in AttackerKB.
Rapid7 customers
Rapid7's Managed Detection and Response (MDR) team has observed active exploitation against vulnerable Confluence targets. InsightIDR customers should ensure that the Insight Agent is installed on all Confluence servers to maximize post-compromise detection visibility.
InsightVM and Nexpose customers can assess their exposure to active exploitation confluence server 26084
