Organizations in the U.S. continue to sustain series of unpatched vulnerability exploits. The U.S. Cyber Command (USCYBERCOM) recently warned organizations to patch the actively exploiting Atlassian Confluence critical vulnerability CVE-2021-26084 immediately.
“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already — this cannot wait until after the weekend,” USCYBERCOM said.
— U.S. Cyber Command (@US_CYBERCOM) September 3, 2021
Atlassian Confluence Vulnerability
The CVE-2021-26084 vulnerability is an Object-Graph Navigation Language (OGNL) injection flaw that affects Atlassian Confluence Servers and Confluence Data Center software installed on Confluence self-hosted project management platforms. The vulnerability enables an unauthenticated hacker to execute arbitrary code on Confluence Server or Data Center installations.
The vulnerability was discovered by Benny Jacob (SnowyOwl) in the Atlassian public bug bounty program.
Affected versions include:
- version < 6.13.23
- 14.0 ≤ version < 7.4.11
- 5.0 ≤ version < 7.11.5
- 12.0 ≤ version < 7.12.5
Atlassian Releases Patch
In a security advisory, Atlassian detailed the severity and impacts of the vulnerability. It said, “The vulnerability is being actively exploited in the wild. Affected servers should be patched immediately. The vulnerability is exploitable by unauthenticated users regardless of configuration.”
Atlassian recommended organizations identify vulnerable devices and update them to the latest Long Term Support release to avoid potential risks.
What the Experts Say…
The latest warning from the U.S. Cyber Command created a buzz in the cybersecurity community. Security experts from threat intelligence firm Bad Packets claimed it has identified a mass exploit activity targeting vulnerable Atlassian Confluence servers across the U.S., Brazil, Hong Kong, China, Nepal, Romania, and Russia.
We’ve detected mass scanning and exploit activity from hosts in 🇧🇷 🇨🇳 🇭🇰 🇳🇵🇷🇴 🇷🇺 🇺🇸 targeting Atlassian Confluence servers vulnerable to remote code execution (https://t.co/GExSx8puLm).
Query our API for “tags=CVE-2021-26084” for full payload and source IPs. #threatintel
— Bad Packets (@bad_packets) September 1, 2021
Also, security firm Censys that it detected over 14,701 services that self-identified as a Confluence server. Of those, 13,596 ports and 12,876 individual IPv4 hosts are running an exploitable version of the software.