Request a Demo Contact Us
Attending Black Hat USA 2022? Come visit us to grab swag, hear talks, and see live demos!
Learn more

Confluence Server Webwork OGNL Injection (CVE 2021-26084) Exploited in the Wild

An exploit for CVE 2021-26084 that is widely distributed allows an unauthenticated attacker to execute remote code using the OGNL language, which is a simplified version of Java’s expression language. The first patch for the vulnerability was released on August 25, 2021, and the CVE associated with the patched vulnerability received a CVSS score of 9.8/10 due to the difficulty of developing a weaponized exploit. Despite this, a reliable exploit and walkthrough were publicly released on Github on Tuesday, August 31, 2021, Internet-wide scanning for the vulnerability was observed, and several hundred vulnerability reports of unpatched Confluence instances were received via the Bugcrowd platform.

Bugcrowd believes that CVE 2021-26084 is also being exploited by malicious attackers, based on the widespread deployment of Confluence Server, the ease of access to and reliability of an exploit, and the groundswell of scanning and exploitation of this vulnerability, and that organizations should prioritize identifying Confluence Server instances in their environment and commence patching IMMEDIATELY.

Key points:

  • *CVE ID:* CVE 2021-26084
  • *CVE Title:* Confluence Server Webwork OGNL injection
  • *CVE Release Date:* 27 July 2021
  • *CVSS 3.0 Score:* 9.8

CVE Description:

An OGNL injection vulnerability exists in affected versions of Confluence Server and Data Center, allowing an authenticated user, and in some cases an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. If “Allow people to sign up to create their account” is enabled, a non-administrator user or an unauthenticated user can access the vulnerable endpoints. To see if this is enabled, navigate to COG > User Management > User Signup Options. Before version 6.13.23, before version 7.4.11, before version 7.5.0 before 7.11.6, and before version 7.12.0 before 7.12.5 are the affected versions.

Errata:

  • Benny Jacob (SnowyOwl) discovered the bug through Atlassian’s public bug bounty program.
  • Atlassian has been providing a patch since August 25th.
  • Blocking individual pages will not reduce the risk of this issue. This issue is caused by multiple pages and code pathways, and if the root cause is not addressed, an attacker will be able to trigger it again and again.
  • As of September 1st, 2021, Bugcrowd had received 150 unique reports related to this vulnerability from more than 50 organizations, representing a wide range of company sizes and verticals. So far, 27 reports have been rewarded by companies, indicating that recipients of vulnerability reports are patching Confluence Server instances and mitigating risks.

References:

Vendor advisory: https://jira.atlassian.com/browse/CONFSERVER-67940

Vendor patch: https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

First public writeup and exploit: https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md

Widespread scanning: https://twitter.com/haxor31337/status/1432731786719551489

News:https://therecord.media/confluence-enterprise-servers-targeted-with-recent-vulnerability/

More resources

Essentials

Standard Disclosure Terms

Learn More
Bakers Dozens

Baker’s Dozen with Special Guest Adrian Ludwig

Listen Now

Get Started with Bugcrowd

Every minute that goes by, your unknown vulnerabilities leave you more exposed to cyber attacks.