Updated: Apr 6
This weeks Cytidel Intel Insights shows why out of sight should not mean out of mind. The vulnerability in the spotlight is CVE-2021-26084, a Confluence Server exploit that was released in June 2021.
On this week’s Cytidel Intelligence Insights we are looking at a slightly older vulnerability which may be out of the minds of many working in IT Security at the moment. Similar to our 24-hour news cycle, the world of IT Security evolves a mile a minute and many vulnerabilities which, when released, were critical, can fall through the cracks.
Today’s vulnerability is clearly no exception to this as even though a fix was released for this security flaw on the 27th August 2021, it is this week’s most likely vulnerability to be exploited in the world.
The vulnerability in question is CVE-2021-26084, a Confluence Server ONGL Injection exploit that allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.
What Is It?
CVE-2021-26084 is a vulnerability in Confluence Server and Confluence Data Center. This exploit is possible due to the use of Object-Graph Navigation Language (OGNL) in Confluence’s tag system. The vulnerability effectively grants the threat actor Remote Code Execution (RCE) allowing them to run arbitrary code on your system if it has a vulnerable version of Confluence Server or Confluence Data Center installed.
Why Should I Care?
This vulnerability was published on 27th July 2021 and a fix was released on 25th August 2021, so why this week, of all weeks should we care about this vulnerability? I’m glad you asked. This week, CVE-2021-26084, is the most likely vulnerability to be exploited worldwide. This means that even though a patch has been issued over 10 months ago, there are still vulnerable versions of this software accessible on the public internet.
In some cases, even a user who is not authenticated can exploit the vulnerability (if the option Allow people to sign up to create their account is active). The combination of Unauthenticated Access and RCE as a result of the exploit makes this vulnerability incredibly dangerous for your organisation if your confluence server is one of the unpatched ones.
Am I Vulnerable?
The first question you should ask is “Am I vulnerable?” - It’s easy to find out.
The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
version < 6.13.23
6.14.0 ≤ version < 7.4.11
7.5.0 ≤ version < 7.11.6
7.12.0 ≤ version < 7.12.5
So first things first – if you are running a Confluence system, check if you are running one of the vulnerable versions – if not double check! If you’re still good then you should be covered for this one.
If you are vulnerable, the next thing to check is whether or not you can be exploited by an unauthenticated user:
The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if ‘Allow people to sign up to create their account’ is enabled. To check whether this is enabled go to COG > User Management > User Signup Options.
If this is the case, I cannot stress highly enough, that this system needs to be patched. But luckily, there is a fix!
What Can I Do?
Thankfully, the fix for CVE-2021-26084 was released last on 25th August 2021. To ensure remediation of this vulnerability, ensure you are upgraded to one of the below or later versions:
Note: A new vulnerability for Confluence, CVE-2022-26134, was published on 2nd Jun 2022, targeting a similar attack vector. It should be noted that the above versions are susceptible to this vulnerability and it is recommended that you always update to the latest available version of your targeted software. In this case, updating Confluence Data Server to version 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 will remediate both critical vulnerabilities
For more information on weekly vulnerability trends, make sure to subscribe to Cytidel on LinkedIn to keep up to date. If you have any questions on how Cytidel can help your company or organisation with vulnerability management please contact firstname.lastname@example.org