Threat Signal Report

Confluence Server Webwork OGNL Injection Vulnerability (CVE-2021-26084)

Description

Update as of September 8th: FortiGuard Labs released the following IPS signature:

Atlassian.Confluence.CVE-2021-26084.Remote.Code.Execution (definitions version 18.154)

FortiGuard Labs is aware that an OGNL injection vulnerability that affects Confluence Server and Data Center instances was recently patched by Atlassian. Assigned CVE-2021-26084 and rated critical, successful exploitation of the vulnerability "would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance."

Confluence is a popular team workspace and collaboration tool developed by Atlassian and is used to help teams to collaborate and share knowledge.

When was the Vulnerability Discovered?

While it's unknown when the vulnerability was first discovered, based on the tracking ticket Atlassian opened for the bug, the vulnerability was discovered as late as July 27th, 2021.

The security hole was discovered by Benny Jacob (SnowyOwl) through the Atlassian public bug bounty program.

What is the Details of the Vulnerability?

Atlassian has not offered technical details of the vulnerability other than the security flaw is related to the Object-Graph Navigation Language (OGNL); an expression language for getting and setting properties of Java objects.

How Serious is the Vulnerability?

The vulnerability is rated critical by Atlassian and has CVSS score of 9.8 out of 10. For more information on how Atlassian assigns severity to their vulnerabilities, see the Appendix for a link to "Severity Levels for Security Issues".

What Products and Versions are Vulnerable?

Affected Products:

Confluence Server
Confluence Data Center

Note: Confluence Cloud customers are not affected.

Affected versions:

All versions below 6.12
All 6.13 versions before 6.13.23
All 6.14. and 6.15 versions
All 7.0, 7.1, 7.2, and 7.3 versions
All 7.4 versions before 7.4.11
All 7.5, 7.6, 7.8, 7.9 and 7.10 versions
All 7.11 versions before 7.11.6
All 7.12 versions before 7.11.5

Is There a CVE Number Assigned to the Vulnerability?

Yes, CVE-2021-26084 is assigned to the vulnerability.

Has the Vendor Released an Advisory?

Yes, Atlassian released an advisory on August 25th, 2021. See the Appendix for a link to "Confluence Security Advisory - 2021-08-25".

As the Vendor Released a Patch?

Yes.

Fixed versions are as follows:

6.13.23
7.4.11
7.11.6
7.12.5
7.13.0

Is the Vulnerability Being Exploited in the Wild?

At this time of this writing, FortiGuard Labs has not observed nor became aware of any instance of in-the-wild exploit. However, mass scan reportedly has already started and Proof-of-Concept code is already available as such attacks can happen at any time.

FortiGuard Labs will continue to monitor the situation and provide updates as the situation warrants.

What is the Status of Coverage? (Updated on September 8th)

FortiGuard Labs released the following IPS signature:

Atlassian.Confluence.CVE-2021-26084.Remote.Code.Execution (definitions version 18.154)

Other Mitigation?

Atlassian has provided a couple of mitigation methods in their advisory. See the Appendix for a link to "Confluence Security Advisory - 2021-08-25".