About

Atlassian vulnerability sees rise in exploitation attempts

On 25th August, Atlassian issued a security update about a vulnerability that affects the Confluence servers and Confluence datacenter. Since the disclosure of the vulnerability, there have been manifold rise in attempts to exploit the vulnerability on the Confluence servers and Confluence datacenters. This is a remote code execution vulnerability that poses great risk to IT teams that work on Confluence servers or datacenter products. Learn more about this vulnerability, its impacts and resolution.

Atlassian vulnerability

What is the potential risk and severity of the Atlassian vulnerability?


The Atlassian vulnerability is being tracked through CVE-2021-26084. The CVE description of the vulnerability puts in a simple 2 line description of the vulnerability –

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

To know about the versions affected with this vulnerability, you may check the detailed security updated released by Atlassian on 25th August on this link.

Also, notice that the vulnerability does not affect the Confluence Cloud solutions.

And, please notice that Customers who have upgraded  to versions 6.13.23, 7.11.6, 7.12.5, 7.13.0, or 7.4.11 are not affected.

Anything outside the versions given above is prone to this vulnerability.

What is the impact of Atlassian vulnerability?


The vulnerability exposes your Atlassian Confluence server or data center to hackers, who could remotely execute code on your server. And, the exploits could be exercised by unauthenticated users. The fact that unauthenticated users can exploit this vulnerability makes this a critical security risk to Confluence servers and data center solutions.

This vulnerability has been given a CVSS score of 7.5, with a HIGH impact. However, the NIST has rated this vulnerability at a score of 9.8, with critical impact to your IT infrastructure. Immediate steps must be taken to fix this vulnerability.

Atlassian also calls this a critical vulnerability and calls for deployment of fix on the affected server and data centers.

What is the fix for Atlassian vulnerability?


Atlassian released a LTS or Long Term Support update for the Confluence server and datacenter stack and it is called the LTS 7.13.0 update. The LTS 7.13.0 update was released by Atlassian on 15th August, 10 days ahead of public disclosure of the vulnerability.

You can download this update from the Confluence download center at this link – https://www.atlassian.com/software/confluence/download-archives. Choose the operating system on which the Confluence server runs, and download the patch for an update of the affected Confluence server or data center. This is the latest version of the security guide to update the that will take the software to version 7.13.0 (LTS) or higher.

What if I am unable to upgrade to LTS 7.13.0 on Confluence server or datacenter?


In cases where you are unable to deploy the new security release, for reasons of testing or any other security related policies in your company, Atlassian has suggested that you must run a Linux or Windows script on the vulnerable server. The script is available on the security update link shared by Atlassian under the mitigation section: https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

In cases where you are unable to update to LTS 7.13.0 for reasons of version differences or dependencies, Atlassian has put in the following updates –

  • If you are running 6.13.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 6.13.23.
  • If you are running 7.4.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.4.11.
  • If you are running 7.11.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.11.6.
  • If you are running 7.12.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.12.5.

Why is this such a big risk?


The vulnerability on Atlassian’s Confluence server and data center solutions has assumed alarming significance because of an increase in number of attacks on the servers that are being targeted to exploit the vulnerability. This vulnerability is in the midst of an ongoing exploitation. For servers that are not upgraded or patched with the operating system specific script, there is a risk of remote code execution eventually leading to greater impact attacks, including ransomware attack and personal and business data theft.

Censys has been tracking the number of vulnerable Confluence servers since the disclosure of the vulnerability. In the company’s blog post, Censys has given figures on the number of vulnerable servers found by them over a period of last week and a half.

  • Initially, 14562 vulnerable Confluence servers were found.
  • The number of exploitable servers went down to 8597 on 2nd September.

Effectively, in one week of the disclosure of vulnerability, nearly 40% servers have been either upgraded to LTS 7.13.0 or these servers have been protected by executing the server side scripts. But, the worrying part is that as of 2nd September, there are still over 8,000 server instances that remain unprotected against any remote code execution attacks. Folks need to upgrade fast.

Summary


So, we have a vulnerability on the Confluence server and datacenter suite. And, we know that we could apply the LTS 7.13.0 to resolve the vulnerability. If for some reason, we are unable to upgrade to 7.13.0, do apply the Linux or Windows script on the server or central node of the Confluence data center to patch the security risk.