Atlassian Vulnerability Being Exploited in the WildCyber Command and CISA Issue Alerts
U.S. Cyber Command and the U.S. Cybersecurity and Infrastructure Security Agency issued alerts Friday warning those using Atlassian's Confluence and Data Center products that attackers are actively exploiting the critical remote code execution vulnerability CVE-2021-26084.
"Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven't already - this cannot wait until after the weekend," Cyber Command tweeted Friday morning.
Atlassian also issued an advisory on Aug. 25 indicating that multiple versions of Confluence Server and Data Center are affected, but that warning did not mention attackers exploiting the vulnerability in the wild. The company has issued an update that fixes the flaw.
The cybersecurity firm Bad Packets tweeted a warning on Sept. 1 that attackers were conducting mass scans and that malicious actors were exploiting the flaw.
We know where it's coming from, because we backtraced it.https://t.co/SX99atTuWt— Bad Packets (@bad_packets) September 3, 2021
Atlassian's Confluence is web-based team collaboration software developed in Australia, written in Java for managing workspaces and projects that companies can run locally on their own servers, says Heimdal Security.
Atlassian describes its Data Center product as: "a deployment option providing high availability and performance at scale for your mission critical Atlassian applications."
Bleeping Computer reports that its analysis of examples of exploits being conducted that have been posted by Bad Packets indicates that the attackers are installing cryptominers on Windows and Linux Confluence servers.
Heimdal Security believes this usage is only the first step in how attackers will utilize this vulnerability.
"Although cybercriminals are currently exploiting this type of vulnerability for cryptocurrency mining, researchers believe it will be used for data exfiltration and ransomware attacks in the future," the company says.
Atlassian says the issue is an object-graph navigation language injection vulnerability that, when exploited, allows an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.
Atlassian rates the severity level of this vulnerability as critical and recommends immediate patching.
In its description of the vulnerability, Mitre adds that the vulnerable endpoints can be accessed by a nonadministrator user or unauthenticated user if the command "allow people to sign up to create their account" is enabled.
Atlassian notes that customers using cloud versions of the affected products and those who have updated to versions 6.13.23, 7.11.6, 7.12.5, 7.13.0 or 7.4.11 are not affected by the vulnerability.