Confluence Remote Code Execution Vulnerability: Everything you need to know about it

Posted on 09.07.2021
-
Written by Blanca Vazquez
-

Atlassian has announced a critical severity security vulnerability CVE-2021-26084 on certain versions of the Server and Data Center platform for Confluence. Oxalis performed additional analysis on this vulnerability announcement and is confident that our current customers are protected by our security practices. This security vulnerability only affects Atlassian’s Confluence Data Center and Server products. Atlassian Confluence Cloud products are not affected, and users are not impacted by this vulnerability.

Specifically, the CVE (Common Vulnerabilities and Exposures) ID for this vulnerability is: CVE-2021-26084 (Confluence Server Webwork OGNL injection). To stay on top of the issue, track it here. Beyond its extremely high 9.8 severity level, the fact that it doesn’t require a user to be authenticated puts any publicly facing Confluence instance at risk. High profile teams are reporting successful attacks, including the CI/CD tool Jenkins.

We believe it’s critical you mitigate these issues immediately either on your own or through Oxalis’s assistance. US Cybercom has sent out notice to IT teams alerting to this issue, there is reason to believe CVE-2021-26084 will continue and rapidly increase.

This vulnerability specifically affects the following versions of Confluence Server and Data Center:

Affected versions:

  • any version < 6.13.23
  • 6.14.0 ≤ version < 7.4.11
  • 7.5.0 ≤ version < 7.11.5
  • 7.12.0 ≤ version < 7.12.5

What to do if you believe you’re at risk

Upgrade to the latest release

The current releases of Atlassian’s Confluence Server and Confluence Datacenter products have added security patches to address this issue – as long as you have a recent release, you are protected. Staying up to date should be the baseline for security practices. 

Check Your Current Version of Confluence

  • How to check current version
    • To find the version of Jira Data Center that you are on, click on the Administration cog and go to Applications. Here you can view the current version of your Jira applications. 
      • Note: You will need to be a Jira Administrator to access Jira’s Administration menu.
    • Need help finding your current version of Jira Data Center? Get help immediately for assistance.

Pick the Version of Confluence to Upgrade and Download

These version apply to both Server and Data Center versions of Confluence:

  • Your best be should be to upgrade to version 7.13.0 (LTS) or higher
  • If you are running 6.13.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 6.13.23.
  • If you are running 7.4.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.4.11.
  • If you are running 7.11.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.11.6.
  • If you are running 7.12.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.12.5.

Versions can be downloaded from the following pages depending on if you are using server or Data Center:

  • Confluence Current Version: https://www.atlassian.com/software/confluence/download/data-center
  • For other patched versions: https://www.atlassian.com/software/confluence/download-archives

Make a Plan to Stay Up To Date

At Oxalis, we hold regular maintenance windows for all deployments and applications. We continuously monitor, review, and upgrade to new releases for applications like Jira to ensure our client’s systems are up to date.

Patch Your Current Confluence Installation

If for some reason you are unable to upgrade immediately, Atlassian has released a mitigation tool that can be run to remove the vulnerability without upgrading. Full details on downloading and applying the mitigation are available on Atlassian’s page here.

How to avoid future risks

Migrate to Atlassian Cloud

At the beginning of 2021, Atlassian announced their journey to cloud, showing their dedication to the Cloud products and services. Even though they will be decommissioning their Server offering, their Data Center platform will continue to be supported. There are many considerations to take into account before deciding to migrate to Atlassian Cloud, but it is certainly worth considering, as it is clear that Atlassian is focusing their efforts towards the Cloud.

  • Not a Lift-and-Shift – Migrating from Server/Data Center to Atlassian Cloud is not simply a lift-and-shift effort. There are many differences between the on-premise and cloud versions of Atlassian’s applications, along with differences in the Marketplace Apps. A short discovery effort is recommended to plan and map your migration effort to ensure success. You can learn more about our migration approach here.
  • Compliance – It’s possible Atlassian Cloud may not meet your compliance needs. Currently, Atlassian Cloud does NOT meet the following compliance standards:
    • HIPAA
    • FedRAMP Moderate
    • NIST 800.53
    • Review Atlassian’s cloud roadmap to see when they plan on meeting these compliance standards.
  • Trust – Atlassian’s team is dedicated to keeping the trust of their customers, and has you covered. Review information about security, reliability, privacy, and compliance for their products and services here.

Stay Up To Date

Staying on the most recent version continues to be the best strategy. With stability, it can be easy to end up just staying with what works and getting out of date.

Build Security at Depth

While implementing zero trust architectures can be challenging, choosing architectural patterns that allows for isolation and segmentation of infrastructure components provide both reduced blast radius and limits exploitation.

We’re here to help

If you need help understanding if you’re at risk CVE-2021-26084, hardening your existing infrastructure, are looking for ongoing maintenance help or want to move to a more compliant infrastructure, our award winning team is here to help. As a group of technology consultants and product leaders that operate in various high-compliant industries, Oxalis has a strong focus on security. We don’t just care when vulnerabilities occur, it’s a key piece of how we operate as a firm.  

Recommended blog posts

Contact us

Have some questions about CVE-2021-26084? Oxalis can help you.

Get the conversation started!

Feel free to send us a message in the form below. We’re very approachable and would like to talk more about how we can meet your needs: