Protect Against Russia-Ukraine Cyber Activity

Threat Brief: CVE-2021-26084

By

Category: Threat Brief, Unit 42

Tags: ,

A conceptual image representing vulnerabilities, such as CVE-2021-26084, discussed here.

This post is also available in: 日本語 (Japanese)

Executive Summary

On Aug. 25, 2021, Atlassian released a security advisory for an injection vulnerability in Confluence Server and Data Center, CVE-2021-26084. If the vulnerability is exploited, threat actors could bypass authentication and run arbitrary code on unpatched systems. Since the release of this advisory, mass scanning activity has started to occur, seeking unpatched systems, and in-the-wild exploitation has begun. Unit 42 recommends customers upgrade to the latest release of Confluence Server and Data Center.

Vulnerable Systems

The Atlassian products vulnerable to CVE-2021-26084 are those using the following versions of Confluence Server and Data Center:

  • All 4.x.x versions.
  • All 5.x.x versions.
  • All 6.0.x versions.
  • All 6.1.x versions.
  • All 6.2.x versions.
  • All 6.3.x versions.
  • All 6.4.x versions.
  • All 6.5.x versions.
  • All 6.6.x versions.
  • All 6.7.x versions.
  • All 6.8.x versions.
  • All 6.9.x versions.
  • All 6.10.x versions.
  • All 6.11.x versions.
  • All 6.12.x versions.
  • All 6.13.x versions before 6.13.23.
  • All 6.14.x versions.
  • All 6.15.x versions.
  • All 7.0.x versions.
  • All 7.1.x versions.
  • All 7.2.x versions.
  • All 7.3.x versions.
  • All 7.4.x versions before 7.4.11.
  • All 7.5.x versions.
  • All 7.6.x versions.
  • All 7.7.x versions.
  • All 7.8.x versions.
  • All 7.9.x versions.
  • All 7.10.x versions.
  • All 7.11.x versions before 7.11.6.
  • All 7.12.x versions before 7.12.5.

Confluence Cloud customers are not affected by this vulnerability.

Mitigation Actions

We recommend that customers update Atlassian Confluence Server and Data Center to the latest version, 7.13.0 (TLS). You can find the newest release on Atlassian’s download center.

If you cannot install the latest upgrade, see the Mitigation section on the Atlassian security advisory for information on how to mitigate this vulnerability by running a script for the operating system your Confluence server is hosted on.

Conclusion

Palo Alto Networks provides protection against the exploitation of this vulnerability:

  • Next-Generation Firewalls with a Threat Prevention security subscription (running Applications and Threat content update version 8453) can automatically block sessions related to this vulnerability using Threat ID 91594.

Palo Alto Networks will update this Threat Brief with new information and recommendations as they become available.

Additional Resources

writeups/Confluence-RCE.md at main · httpvoid/writeups

Confluence Server Download Archives

Confluence Security Advisory - 2021-08-25 | Confluence Data Center and Server 7.13