Threat Signal Report

Confluence Server Webwork OGNL Injection Vulnerability (CVE-2021-26084)

Description

Update as of September 8th: FortiGuard Labs released the following IPS signature:

Atlassian.Confluence.CVE-2021-26084.Remote.Code.Execution (definitions version 18.154)



FortiGuard Labs is aware that an OGNL injection vulnerability that affects Confluence Server and Data Center instances was recently patched by Atlassian. Assigned CVE-2021-26084 and rated critical, successful exploitation of the vulnerability "would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance."

Confluence is a popular team workspace and collaboration tool developed by Atlassian and is used to help teams to collaborate and share knowledge.


When was the Vulnerability Discovered?

While it's unknown when the vulnerability was first discovered, based on the tracking ticket Atlassian opened for the bug, the vulnerability was discovered as late as July 27th, 2021.


The security hole was discovered by Benny Jacob (SnowyOwl) through the Atlassian public bug bounty program.


What is the Details of the Vulnerability?

Atlassian has not offered technical details of the vulnerability other than the security flaw is related to the Object-Graph Navigation Language (OGNL); an expression language for getting and setting properties of Java objects.


How Serious is the Vulnerability?

The vulnerability is rated critical by Atlassian and has CVSS score of 9.8 out of 10. For more information on how Atlassian assigns severity to their vulnerabilities, see the Appendix for a link to "Severity Levels for Security Issues".


What Products and Versions are Vulnerable?


Affected Products:

  • Confluence Server
  • Confluence Data Center

Note: Confluence Cloud customers are not affected.


Affected versions:

  • All versions below 6.12
  • All 6.13 versions before 6.13.23
  • All 6.14. and 6.15 versions
  • All 7.0, 7.1, 7.2, and 7.3 versions
  • All 7.4 versions before 7.4.11
  • All 7.5, 7.6, 7.8, 7.9 and 7.10 versions
  • All 7.11 versions before 7.11.6
  • All 7.12 versions before 7.11.5

Is There a CVE Number Assigned to the Vulnerability?

Yes, CVE-2021-26084 is assigned to the vulnerability.


Has the Vendor Released an Advisory?

Yes, Atlassian released an advisory on August 25th, 2021. See the Appendix for a link to "Confluence Security Advisory - 2021-08-25".


As the Vendor Released a Patch?

Yes.

Fixed versions are as follows:

  • 6.13.23
  • 7.4.11
  • 7.11.6
  • 7.12.5
  • 7.13.0


Is the Vulnerability Being Exploited in the Wild?

At this time of this writing, FortiGuard Labs has not observed nor became aware of any instance of in-the-wild exploit. However, mass scan reportedly has already started and Proof-of-Concept code is already available as such attacks can happen at any time.

FortiGuard Labs will continue to monitor the situation and provide updates as the situation warrants.


What is the Status of Coverage? (Updated on September 8th)

FortiGuard Labs released the following IPS signature:

Atlassian.Confluence.CVE-2021-26084.Remote.Code.Execution (definitions version 18.154)


Other Mitigation?

Atlassian has provided a couple of mitigation methods in their advisory. See the Appendix for a link to "Confluence Security Advisory - 2021-08-25".

Telemetry


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.