Atlassian Confluence Remote Code Execution Vulnerability (CVE-2021-26084) Threat Alert

Atlassian Confluence Remote Code Execution Vulnerability (CVE-2021-26084) Threat Alert

October 4, 2021 | Jie Ji

Overview

Recently, NSFOCUS CERT found that Atlassian released a security bulletin to announce the fix of the Confluence Server Webwork OGNL Injection Vulnerability (CVE-2021-26084). This vulnerability allows an authenticated attacker, and in some instances, an unauthenticated user, to execute arbitrary code on Confluence Server or Data Center by injecting a crafted OGNL expression. This vulnerability is assigned a CVSS score of 9.8. Affected users should take preventive measures as soon as possible.

Atlassian Confluence is a professional wiki program provided by Atlassian. It is a knowledge management tool that enables team collaboration and knowledge sharing.

Reference link: https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

Scope of Impact

Affected Versions

  • Confluence < 6.13.23
  • 6.14.0 ≤ Confluence < 7.4.11
  • 7.5.0 ≤ Confluence < 7.11.6
  • 7.12.0 ≤ Confluence < 7.12.5
  • Confluence < 7.13.0

Unaffected Versions

  • Confluence = 6.13.23
  • Confluence = 7.4.11
  • Confluence = 7.11.6
  • Confluence = 7.12.5
  • Confluence = 7.13.0

Vulnerability Check

Manual Check

Users can check the current Confluence version to determine whether it is affected. For this purpose, users can select About Confluence to check the current version of Confluence.

Mitigation

Official Fix

Users are advised to upgrade Confluence Server and Confluence Data Center to the latest version to ensure the security and stability of this service.

Download link: https://www.atlassian.com/software/confluence/download-archives

If users cannot upgrade to the latest version for the time being, they can upgrade it to a version that has this vulnerability fixed, as shown in the following table:

Affected VersionVersion with the Vulnerability Fixed
6.13.x6.13.23
7.4.x7.4.11
7.11.x7.11.6
7.12.x7.12.5
Other earlier versions6.13.23, 7.4.11, 7.11.6, or 7.12.5

Workaround

If users are unable to upgrade the products immediately, run the following scripts on the operating system on which Confluence is hosted:

https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html?spm=a2c4g.11174386.n2.3.1f8c4c07XTPS08#

Confluence server on a Linux-based operating system:

If you run Confluence in a cluster, repeat this process on each node. You don’t need to shut down the whole cluster.

1. Shut down Confluence.

2. Download cve-2021-26084-update.sh to the Confluence Linux server:

https://confluence.atlassian.com/doc/files/1077906215/1077916296/2/1629936383093/cve-2021-26084-update.sh

3. Edit cve-2021-26084-update.sh and set INSTALLATION_DIRECTORY to your Confluence installation directory, for example:

INSTALLATION_DIRECTORY=/opt/atlassian/confluence

4. Save the file.

5. Assign the script execution permission.

chmod 700 cve-2021-26084-update.sh

6. Change to the Linux user that owns files in the Confluence installation directory, for example:

$ ls -l /opt/atlassian/confluence | grep bin

drwxr-xr-x 3 root root 4096 Aug 18 17:07 bin

# In this first example, we change to the ‘root’ user

# to run the workaround script

$ sudo su root

$ ls -l /opt/atlassian/confluence | grep bin

drwxr-xr-x 3 confluence confluence 4096 Aug 18 17:07 bin

# In this second example, we need to change to the ‘confluence’ user

# to run the workaround script

$ sudo su confluence

7. Run the workaround script.

$ ./cve-2021-26084-update.sh

8. The expected output should confirm up to five files updated and end with:

Update completed!

The number of updated files will differ, depending on your Confluence version.

9. Restart Confluence. If you run Confluence in a cluster, make sure that this script runs on all nodes.

Confluence server on a Windows operating system:

If you run Confluence in a cluster, repeat this process on each node. You don’t need to shut down the whole cluster.

1. Shut down Confluence.

2. Download cve-2021-26084-update.ps1 to the Confluence Windows server:

https://confluence.atlassian.com/doc/files/1077906215/1077916298/2/1629936382985/cve-2021-26084-update.ps1

3. Edit cve-2021-26084-update.ps1 and set INSTALLATION_DIRECTORY. Replace Set_Your_Confluence_Install_Dir_Here with your Confluence installation directory, for example:

$INSTALLATION_DIRECTORY=’C:\Program Files\Atlassian\Confluence’

4. Save the file.

5. Open Windows PowerShell (and run as administrator).

6. Due to PowerShell’s default restrictive execution policy, run the PowerShell using this exact command:

Get-Content .\cve-2021-26084-update.ps1 | powershell.exe -noprofile –

7. The expected output should show the status of up to five files updated, encounter no errors (errors will usually show in red) and end with:

Update completed!

The number of updated files will differ, depending on your Confluence version.

8. Restart Confluence. If you run Confluence in a cluster, make sure that this script runs on all nodes.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.