Confluence vulnerability exploited at scale - Take action now!

On August 25th, 2021 Atlassian has published a security advisory for its on-premise offerings Server & Data Center

On August 25th, 2021 Atlassian published a security advisory for its on-premise offerings (Server / Data Center) of Confluence: CVE-2021-26084 - Confluence Server Webwork OGNL injection

It was initially communicated to only affect those customers who had public signup enabled, but was subsequently corrected by Atlassian. Confluence can be exploited regardless of configuration.

All recent versions of Confluence are affected. Patches have been made available with the following fix versions:

  • 6.13.23
  • 7.4.11
  • 7.11.6
  • 7.12.5
  • 7.13.0

If you operate a Confluence instance that is publicly available and have not yet upgraded, it is very likely that the instance has been compromised already. There are multiple threat actors that have already begun scanning for affected installation in the wild at a large scale. It is to be believed that the vulnerability, which allows remote code execution, is exploited to install a crypto - miner on the affected systems.

The attackers target both LINUX and WINDOWS environments and deploy shell / powershell scripts on the compromised hosts. These are used to download additional payload, i.e. via pastebin to install various crypto - miners.

Regardless of when the upgrade was performed, you should check your log-files for exploit attempts. We have seen a surge in POST requests, which can be attributed to the recent vulnerability:

POST /pages/createpage-entervariables.action?SpaceKey=x

Once a vulnerable system has been identified, the attacker will inject code to download and install a Java Shared Object file (.so), which contains native code that in turn is used to install a crontab entry. Once executed, the cronjob will download additional payloads to install the crypto-miner and other potential harmful / malicious content.

Affected systems might contain Java shared object files in /tmp (such as snappy-unknown-< hash > resulting in additional entries in /var/spool/cron/crontabs/confluence. Upon successful installation, some sort of crypto-miner is installed, directly or with the use of kinsing.

Successfully exploited hosts will eventually show a spiked CPU load indicating a running crypto miner.

Although it appears to be a very simplistic attack to mine cryptocurrencies, the affected systems should be considered fully comprised. It can be assumed that other malicious content might be executed.

If you are a Managed Hosting customer of ours, your environment was patched immediately, and we have taken all measures to ensure the vulnerability has not been successfully exploited.

If your Confluence instance is not operated by us and you need support in upgrading it, please feel free to reach out, directly

A detailed write-up on the vulnerability can be found on github a reference implementation can be found here CVE-2021-26084_PoC

You can find additional information in the security advisory CVE-2021-26084, the underlying reported issue CONFSERVER-67940, the advisory of the BSI CB-K21/0917