www.csoonline.com
Open in
urlscan Pro
151.101.194.165
Public Scan
Submitted URL: https://www.csoonline.com/article/3632330/critical-flaw-in-atlassian-confluence-actively-exploited.html#tk.rss_news
Effective URL: https://www.csoonline.com/article/3632330/critical-flaw-in-atlassian-confluence-actively-exploited.html
Submission: On September 03 via api from US
Effective URL: https://www.csoonline.com/article/3632330/critical-flaw-in-atlassian-confluence-actively-exploited.html
Submission: On September 03 via api from US
Form analysis 1 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" id="gsc-i-id1" dir="ltr" spellcheck="false" placeholder="Start Searching"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; background: url("https://www.google.com/cse/static/images/1x/en/branding.png") left center no-repeat rgb(255, 255, 255); outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Close Ad cso online UNITED STATES * United States * ASEAN * Australia * India * United Kingdom * News * Events * Awards * Newsletters * Resource Library * IDG TECH(Talk) Community Welcome! Here are the latest Insider stories. * 10 security tools all remote employees should have * 7 tenets of zero trust explained * The state of security hiring: Jobs, skills, and salaries * Best Mitre D3FEND advice to harden Windows networks More Insider Sign Out Sign In Register × search Sign Out Sign In Register NEW Insider PRO Learn More Latest Insider * 8 biases that will kill your security program * Google Cloud CISO Phil Venables on the future of cloud security * Move over XDR, it's time for security observability, prioritization, and validation (SOPV) * 6 resume mistakes CISOs still make NEW FROM IDG Learn More Explore CSO * Feature Articles * News Hot Topics * Application Security * Careers * Cloud Computing * Critical Infrastructure * Cyber Attacks * Identity Management * Regulation * Risk Management * Small Business * Vulnerabilities Newsletters IDG Events Awards * CSO50 Blogs Podcasts Video * Windows Security Tips * IDG TECH(talk) Channel Resource Library Welcome! Check out the latest Insider stories here. Sign Out Sign In Register From Our Partners * Security Innovation Sponsored by Microsoft Security * The Need for Endpoint Security Rooted in Zero Trust Sponsored by HP Wolf Security * The Latest Content from Our Sponsors More from the IDG Network The voice of IT leadership Analytics Careers CIO Role Digital Transformation Leadership Government Project Management Making technology work for business Blockchain Collaboration Mobile Office Software Security Systems Management Windows From the data center to the edge Data Center Internet of Things Linux Networking SD-WAN Servers Storage Wi-Fi Building the next-gen enterprise Analytics Cloud Computing Databases Devops Machine Learning Open Source Software Development * About Us | * Contact | * Reprints | * Privacy Policy | * Cookie Policy | * Member Preferences | * Advertising | * IDG Careers | * Ad Choices | * E-commerce Links | * California: Do Not Sell My Personal Info | * Follow Us * * * × Close * APT group hits IIS web servers with deserialization flaws and memory-resident... * RELATED STORIES * Java deserialization vulnerabilities explained and how to defend against them * Sponsored by Palo Alto Networks Deploying SOAR to improve incident response * Cryptojacking explained: How to prevent, detect, and recover from it * Authentication bypass allows complete takeover of Modicon PLCs used across... * Home * Security * Vulnerabilities News CRITICAL FLAW IN ATLASSIAN CONFLUENCE ACTIVELY EXPLOITED THE REMOTE CODE EXECUTION VULNERABILITY WAS RECENTLY PATCHED FOR AFFECTED VERSIONS OF ATLASSIAN CONFLUENCE SERVER AND DATA CENTER; USERS ARE ADVISED TO APPLY THE PATCH OR UPGRADE. * * * * * * * By Lucian Constantin CSO Senior Writer, CSO | Sep 3, 2021 4:35 am PDT MysteryShot / Getty Images Hackers have started exploiting a critical remote code execution vulnerability that was patched recently in Atlassian Confluence Server and Data Center. Some of the attacks deploy cryptocurrency mining malware, but Atlassian products have also been targeted in the past by cyberespionage groups. "Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Nepal, Poland, Romania, Estonia, United States, and Italy," threat intelligence firm Bad Packets told CSO. "Multiple proofs-of-concept have been published publicly demonstrating how to exploit this vulnerability." [ Learn why Cryptominers and fileless PowerShell techniques make for a dangerous combo | Sign up for CSO newsletters. ] WEBWORK OGNL INJECTION According to Atlassian, CVE-2021-26084 is an OGNL injection issue that allows authenticated users, and in some instances unauthenticated users, to execute arbitrary code on servers running affected versions of the products. The Object-Graph Navigation Language (OGNL) is an open-source expression language for getting and setting properties of Java objects. Atlassian Confluence is a web-based team collaboration platform written in Java for managing workspaces and projects that organizations can run locally on their own servers. Atlassian Data Center is a more feature-rich version of Confluence that has support for things like team calendars, analytics, more advanced permissions management, content delivery network support and more. The flaw impacts all Atlassian Confluence and Data Center versions prior to versions 6.13.23, 7.4.11, 7.11.6, 7.12.5 and 7.13.0 which were released on Aug. 25 for still supported branches of the software. However, Atlassian recommends upgrading to the latest version in the 7.13.x branch if possible, which has long-term support. Manual patch scripts that can be run on Linux or Windows hosts have also been provided as temporary workarounds for users who cannot perform a full upgrade. According to the Atlassian advisory, the vulnerability was reported by a researcher named Benny Jacob (SnowyOwl) through the Atlassian bug bounty program, suggesting that it wasn't a flaw exploited in the wild at the time of its discovery. However, since then, other researchers analyzed the patch and wrote detailed reports on the bug, complete with proof-of-concept exploits. Moreover, even though Atlassian says the issue can be exploited by unauthenticated users "in some instances," the existence of unauthenticated exploit paths might be more common than users expect. [ Learn how leading CIOs are reinventing IT. Download CIO's new Think Tank report today! ] "For example, simply visiting /pages/doenterpagevariables.action should render the velocity template file which was modified i.e. createpage-entervariables.vm," security researcher and bug hunter Harsh Jaiswal said in an analysis of the flaw. "Remember that any route that renders this template would cause the vulnerability [to] exist completely unauth regardless of you turning on Sign up feature." As with all injection-type vulnerabilities, the goal is to inject code into expected user input that would be evaluated and executed by the application out of context. In this particular case, attackers can include command line (bash) commands that would be executed on the operating system. Confluence code does use an isSafeExpression method to evaluate OGNL expressions for hardcoded malicious properties and methods, but like with most blacklist-based approaches, attackers and researchers can usually find a way to bypass them, which was also true in this case. PAST ATTACKS Cryptocurrency miners are a popular payload for remote code execution vulnerabilities in web applications because they provide an easy way for attackers to directly monetize their access to the underlying servers. However, such access can also be used to deploy stealthier backdoors that can later be used for lateral movement inside corporate networks if the impacted web servers are not properly walled off from the rest of the network. In 2019, security and incident response firm FireEye published a report about attacks by a China-based hacker group tracked as APT41 in which the group exploited a path traversal and remote code execution vulnerability in Atlassian Confluence (CVE-2019-3396) in order to compromise a web server at a US-based research university. APT41 is a dual espionage and financially focused group that has a history of weaponizing recently-disclosed vulnerabilities, often within days of their public disclosure. In that particular attack the group exploited the Confluence vulnerability to deploy a web shell and a backdoor program. Bad Packets told CSO that it hasn't observed attacks against Confluence specifically in the past, but it has seen attacks exploiting vulnerabilities in other Atlassian products including Atlassian Crowd RCE CVE-2019-11580, Atlassian Jira SSRF CVE-2019-8451 and Atlassian Jira Unauthenticated Information Disclosure CVE-2020-36289. SponsoredPost Sponsored by Palo Alto Networks SOAR: orchestration and automation helps SOCs stay ahead of threats SOAR helps security teams act quickly in the face of growing threats Next read this * 21 best free security tools * 7 tenets of zero trust explained * 10 security tools all remote employees should have * Tabletop exercises: Six sample scenarios * AWS, Google Cloud, and Azure: How their security features compare * 8 things CISOs should be thinking about, but probably aren't * 6 minimum security practices to implement before working on best practices * How API attacks work, and how to identify and prevent them * 12 tips for effectively presenting cybersecurity to the board * 8 biases that will kill your security program Related: * Vulnerabilities * Security * Cyberattacks Lucian Constantin is a senior writer at CSO, covering information security, privacy, and data protection. Follow * * * * * Copyright © 2021 IDG Communications, Inc. How to choose a SIEM solution: 11 key features and considerations You May Also Like * 4 most dangerous emerging ransomware threat groups to watch * Certified Cloud Security Professional (CCSP): Exam, cost, and requirements * Cybersecurity salaries: What 8 top security jobs pay * Windows 10 security: Are you on the right version? * What is the dark web? How to access it and what you'll find * 8 steps to being (almost) completely anonymous online * Kubernetes hardening: Drilling down on the NSA/CISA guidance * CISO job satisfaction: Finding meaning in the mission * 6 vulnerabilities Microsoft hasn't patched (or can't) * 18 new cybersecurity bills introduced as US congressional interest heats up * Thousands of publicly accessible VMware vCenter Servers vulnerable to critical flaws SPONSORED LINKS * dtSearch® instantly searches terabytes of files, emails, databases, web data. See site for hundreds of reviews; enterprise & developer evaluations * Join the most important gathering of CIOs & IT executives at Gartner IT Symposium/Xpo™ 2021. * Preparing Your Technology Foundation for a New Hybrid World * Getting a Grip on Basic Cyber Hygiene with the CIS Controls * NETSCOUT Visibility Without Borders keeps you one step ahead by helping you to quickly mitigate cyberattacks and resolve network performance issues. * Drive recurring revenue streams, build customer intimacy, and supercharge your service business with our remote monitoring & management platform, EcoStruxure IT. * Your cloud, your way: Why Cloud Verified matters * IT solution providers give their customers up to 50% lower total cost of ownership with Smart-UPS Lithium-ion and get more revenue in the process. CSO Online CSO provides news, analysis and research on security and risk management Follow us * * * * About Us * Contact * Reprints * Privacy Policy * Cookie Policy * Member Preferences * Advertising * IDG Careers * Ad Choices * E-commerce Links * California: Do Not Sell My Personal Info Copyright © 2021 IDG Communications, Inc. Explore the IDG Network descend * CIO * Computerworld * CSO Online * InfoWorld * Network World