Credit: Dreamstime
Hackers have started exploiting a critical remote code execution vulnerability that was patched recently in Atlassian Confluence Server and Data Centre. Some of the attacks deploy cryptocurrency mining malware, but Atlassian products have also been targeted in the past by cyberespionage groups.
"Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Nepal, Poland, Romania, Estonia, United States, and Italy," threat intelligence firm Bad Packets told CSO. "Multiple proofs-of-concept have been published publicly demonstrating how to exploit this vulnerability."
Webwork OGNL injection
According to Atlassian, CVE-2021-26084 is an OGNL injection issue that allows authenticated users, and in some instances unauthenticated users, to execute arbitrary code on servers running affected versions of the products. The Object-Graph Navigation Language (OGNL) is an open-source expression language for getting and setting properties of Java objects.
Atlassian Confluence is a web-based team collaboration platform written in Java for managing workspaces and projects that organisations can run locally on their own servers. Atlassian Data Centre is a more feature-rich version of Confluence that has support for things like team calendars, analytics, more advanced permissions management, content delivery network support and more.
The flaw impacts all Atlassian Confluence and Data Centre versions prior to versions 6.13.23, 7.4.11, 7.11.6, 7.12.5 and 7.13.0 which were released on Aug. 25 for still supported branches of the software. However, Atlassian recommends upgrading to the latest version in the 7.13.x branch if possible, which has long-term support. Manual patch scripts that can be run on Linux or Windows hosts have also been provided as temporary workarounds for users who cannot perform a full upgrade.
Support the originator by clicking the read the rest link below.
