Threat actors are actively exploiting a recently patched vulnerability in Atlassian’s Confluence enterprise collaboration product.
Threat actors were spotted exploiting the CVE-2021-26084 vulnerability in Atlassian’s Confluence enterprise collaboration product a few days after it was patched by the vendor.
Last week, Atlassian released security patches to address the critical CVE-2021-26084 flaw that affects the Confluence enterprise collaboration product.
The flaw is an OGNL injection issue that can be exploited by an authenticated attacker to execute arbitrary code on affected Confluence Server and Data Center instances.
“An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. ” reads the advisory published by the company.
The issue was discovered by Benny Jacob (SnowyOwl) through the Atlassian public bug bounty program, the vulnerability received a CVSS score of 9.8.
Affected versions are:
version < 6.13.236.14.0 ≤ version < 7.4.117.5.0 ≤ version < 7.11.57.12.0 ≤ version < 7.12.5Researchers from Threat intelligence firm Bad Packets detected mass scanning and exploit activity targeting Atlassian Confluence servers vulnerable to the above RCE.
We’ve detected mass scanning and exploit activity from hosts in targeting Atlassian Confluence servers vulnerable to remote code execution (https://t.co/GExSx8puLm).Query our API for “tags=CVE-2021-26084” for full payload and source IPs. #threatintel— Bad Packets (@bad_packets) September 1, 2021Internet scans for systems affected by the CVE-2021-26084 flaw were also spotted by other researchers, the Japan CERT issued a security alert regarding this flaw. https://jpcert.or.jp/english/at/2021/at210037.html
“On September 2, 2021 (Japan time), JPCERT/CC confirmed that an article explaining the details of this vulnerability and Proof-of-Concept code that seems to exploit the vulnerability are made public. The users of the affected products are recommended to take measures such as upgrading to the latest version or apply workaround as soon as possible.” reads the alert from the Japan CERT.
New Security Alert Regarding Vulnerability (CVE-2021-26084) in Confluence Server and Data Center ^MT https://t.co/cCKLM5rue6— JPCERT/CC (@jpcert_en) September 2, 2021Australian ACSC also issued an alert for CVE-2021-26084 due to ongoing exploitation attempts in the wild.
Scan for Confluence Webwork OGNL injection RCE (CVE-2021-26084) using nuclei template shared by @DhiyaneshDK #hackwithautomation pic.twitter.com/MDzkiRv7Ds— nuclei (@pdnuclei) August 31, 2021
We started observing live exploitation of the new confluence vulnerability (CVE-2021-26084). pic.twitter.com/VP6YrJTKC7— Ba1gan (@Balgan) September 1, 2021Technical details and POC for Confluence RCE (CVE-2021-26084) are available here:
Very nice writeup and POC for Confluence RCE (CVE-2021-26084) https://t.co/o0RwAGuvBH— Nicolas Krassas (@Dinosn) September 1, 2021Experts believe that the number of attacks targeting this Confluence vulnerability will increase in the next weeks.
Follow me on Twitter: @securityaffairs and Facebook
try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini
(SecurityAffairs – hacking, FIN8)
The post Attackers are attempting to exploit recently patched Atlassian Confluence CVE-2021-26084 RCE appeared first on Security Affairs.