[TheRecord] Confluence enterprise servers targeted with recent vulnerability

A major vulnerability in Confluence’s team collaboration server software is currently on the cusp of widespread abuse after mass scanning and initial exploitation was spotted this week.

Tracked as CVE-2021-26084, the vulnerability impacts Confluence Server and Confluence Data Center software that’s usually installed on Confluence self-hosted project management, wiki, and team collaboration platforms.

Under the hood, the vulnerability resides in OGNL (Object-Graph Navigation Language), a simple scripting language for interacting with Java code, the underlying technology in which most Confluence software has been written.

When it released patches on August 25, last week, Atlassian, the company that owns the Confluence software family, said the vulnerability could be exploited by threat actors to bypass authentication and inject malicious OGNL commands that allow them to take over unpatched systems.

As a result, the vulnerability was assigned a severity score of 9.8 out of a maximum of 10, as it allowed remote exploitation over the internet and because the complexity of developing a weaponized exploit was considered low.

Exploitation starts a week after patches

On Tuesday, Vietnamese security researcher Tuan Anh Nguyen said that mass scans for Confluence servers are currently underway, with attackers and professional bug bounty hunters probing Confluence systems for functions vulnerable to CVE-2021-26084 attacks.

About CVE-2021-26084, Block endpoint /pages/createpage-entervariables.action
If you can’t patch your server. The attacker can exploit without authentication although signup is disabled by default
Mass scan already start and bug bounty hunters are farming it 🙂#RCE #Confluence pic.twitter.com/C0JfIEYPhb

— Tuan Anh Nguyen 🇻🇳 (@haxor31337) August 31, 2021

Soon after mass exploitation was spotted in the wild, two security researchers, Rahul Maini and Harsh Jaiswal, also published an in-depth explanation of the bug on GitHub, which also included several proof-of-concept payloads.

In a tweet, Maini described the process of developing the CVE-2021-26084 exploit as “relatively simpler than expected,” effectively confirming why the bug received its high 9.8 severity score.

Just did Atlassian Confluence UnAuth RCE CVE-2021-26084 along with @rootxharsh. It was relatively simpler than expected 😀 pic.twitter.com/7hpHt76AES

— Rahul Maini (@iamnoooob) August 28, 2021

With Confluence being a wildly popular team collaboration software inside some of the world’s largest corporations, and with the CVE-2021-26084 vulnerability being extremely powerful from a threat actor’s perspective, attacks from criminal groups are expected to ramp up in the following days.

Confluence bugs have been widely weaponized before, so a similar exploitation pattern is expected this time as well.

On its website, Atlassian claims that Confluence is used by more than 60,000 customers, including the likes of Audi, Hubspot, NASA, LinkedIn, Twilio, and Docker.

The post Confluence enterprise servers targeted with recent vulnerability appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[NCSC-NL] NCSC-NL cordially invites you to its research symposium Let’s do Cybersecurity Research Together

All posts, NCSC-NL

At NCSC-NL we believe that better cybersecurity incident response requires more cooperation and research. Therefore, we proudly announce our upcoming research symposium Let’s Do Cybersecurity Research Together. This event is all about connecting multidisciplinary academic and applied cybersecurity research(ers) with professionals dealing with cybersecurity issues and incidents on a daily basis. Source: Read More (National […]

Read More

Daily NCSC-FI news followup 2019-11-21

The Cyber-Physical Security of the Power Grid smartgrid.ieee.org/newsletters/november-2019/the-cyber-physical-security-of-the-power-grid Since critical infrastructures play a crucial role in our everyday life, its security has to be considered as one of the most important challenges in this modern era.. Physical and cyber security of smart power grids is very difficult due to their complexity and inhomogeneity. A huge […]

Read More

[SecurityWeek] German Wind Turbine Firm Discloses ‘Targeted, Professional Cyberattack’

All posts, Security Week

German wind turbine giant Deutsche Windtechnik has issued a notification to warn that some of its IT systems were impacted in a targeted professional cyberattack earlier this month. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.