This post is also available in: 日本語 (Japanese)
Executive Summary
On Aug. 25, 2021, Atlassian released a security advisory for an injection vulnerability in Confluence Server and Data Center, CVE-2021-26084. If the vulnerability is exploited, threat actors could bypass authentication and run arbitrary code on unpatched systems. Since the release of this advisory, mass scanning activity has started to occur, seeking unpatched systems, and in-the-wild exploitation has begun. Unit 42 recommends customers upgrade to the latest release of Confluence Server and Data Center.
Vulnerable Systems
The Atlassian products vulnerable to CVE-2021-26084 are those using the following versions of Confluence Server and Data Center:
- All 4.x.x versions.
- All 5.x.x versions.
- All 6.0.x versions.
- All 6.1.x versions.
- All 6.2.x versions.
- All 6.3.x versions.
- All 6.4.x versions.
- All 6.5.x versions.
- All 6.6.x versions.
- All 6.7.x versions.
- All 6.8.x versions.
- All 6.9.x versions.
- All 6.10.x versions.
- All 6.11.x versions.
- All 6.12.x versions.
- All 6.13.x versions before 6.13.23.
- All 6.14.x versions.
- All 6.15.x versions.
- All 7.0.x versions.
- All 7.1.x versions.
- All 7.2.x versions.
- All 7.3.x versions.
- All 7.4.x versions before 7.4.11.
- All 7.5.x versions.
- All 7.6.x versions.
- All 7.7.x versions.
- All 7.8.x versions.
- All 7.9.x versions.
- All 7.10.x versions.
- All 7.11.x versions before 7.11.6.
- All 7.12.x versions before 7.12.5.
Confluence Cloud customers are not affected by this vulnerability.
Mitigation Actions
We recommend that customers update Atlassian Confluence Server and Data Center to the latest version, 7.13.0 (TLS). You can find the newest release on Atlassian’s download center.
If you cannot install the latest upgrade, see the Mitigation section on the Atlassian security advisory for information on how to mitigate this vulnerability by running a script for the operating system your Confluence server is hosted on.
Conclusion
Palo Alto Networks provides protection against the exploitation of this vulnerability:
- Next-Generation Firewalls with a Threat Prevention security subscription (running Applications and Threat content update version 8453) can automatically block sessions related to this vulnerability using Threat ID 91594.
Palo Alto Networks will update this Threat Brief with new information and recommendations as they become available.
Additional Resources
writeups/Confluence-RCE.md at main · httpvoid/writeups
Confluence Server Download Archives
Confluence Security Advisory - 2021-08-25 | Confluence Data Center and Server 7.13