Security Advisory Regarding Atlassian Confluence

By |Published On: September 3rd, 2021|

On August 25th, Atlassian published a Security Advisory for Confluence–server and datacenter releases–described as a “web-based corporate wiki”. To put it simply, Confluence typically serves as a centralized documentation repository. 

On the eve of Labor Day weekend in the US, US-CERT is warning against an increased surge of malware and advises patching against this vulnerability as soon as possible.

Details

This vulnerability, assigned CVE-2021-26084, is an OGNL injection vulnerability. OGNL is described as “an expression language for getting and setting properties of Java objects, plus other extras such as list projection and selection and lambda expressions.”  An OGNL injection vulnerability occurs when a web application accepts expressions from client input without validating them–similar to how your typical command injection vulnerabilities work. 

If you’re interested in learning more, this blog post by Reshift security provides a basic run-down on OGNL injection.

As for the Confluence vulnerability itself, there is an excellent write-up by @rootxharsh in the httpvoid/writeups GitHub that goes through all of the ins and outs: what parameter is exploited, how it is exploited, and a proof of concept exploit. Since there is a proof of concept provided in this write-up, proof of concept vulnerabilities have popped up all over the place and, of course, threat groups have been observed scanning for and exploiting the vulnerability in the wild. 

Be aware that in many instances this vulnerability can be exploited by non-administrator and/or unauthenticated users. According to a blog post by Rapid 7:

The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if “Allow people to sign up to create their account” is enabled. To check whether this is enabled, go to COG > User Management > User Signup Options.

Mitigation

Fortunately, Atlassian has provided some mitigations on their Security Advisory page

In summary, you have a few options:

1. Upgrade to the latest available version of the LTS release. Per the Atlassian Advisory, if you are running:

  • An affected version, upgrade to version 7.13.0 (LTS) or higher.
  • 6.13.x versions and cannot upgrade to 7.13.0 (LTS), then upgrade to version 6.13.23.
  • 7.4.x versions and cannot upgrade to 7.13.0 (LTS), then upgrade to version 7.4.11.
  • 7.11.x versions and cannot upgrade to 7.13.0 (LTS), then upgrade to version 7.11.6.
  • 7.12.x versions and cannot upgrade to 7.13.0 (LTS), then upgrade to version 7.12.5.

2. If upgrading your Confluence instance is not possible, consider downloading and running their hotfix tools. 

  • Check the Mitigation portion of the Security Advisory and click on the “Confluence Server or Data Center Node on Linux” and/or the “Confluence Server or Data Center Node running on Windows” links to access documentation and a hotfix script that will patch the affected files only.

Detection

  • Look for unusual commands running from your Confluence servers, attempting to reach out to grab malicious payloads. For Linux servers, this may include cURL, Wget, or other GTFOBins. While on Windows, this may be CertUtil, PowerShell, or other LOLBAS tools.
  • Be on the lookout for POST requests to: 
    • /users/user-dark-features
    • /login
    • /pages/templates2/viewpagetemplate.action
    • /template/custom/content-editor
    • /templates/editor-preload-container
    • /pages/createpage-entervariables.action

Check out this write-up by @_alt3kx_ for more details.

About Hurricane Labs

Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.

For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.