A critical vulnerability in Atlassian’s Confluence Server software is now under active attack.
Disclosed last week by Atlassian, CVE-2021-26084 is a remote code execution bug that is considered a critical security risk by the vendor. The flaw, which was rated a 9.8 on the CVSS scale, is due to an injection bug in the open source Object-Graph Navigation Language (OGNL) discovered and reported by security researcher Benny Jacob through Atlassian’s bug bounty program.
Troy Mursch, chief research officer with threat intelligence vendor Bad Packets, confirmed to SearchSecurity that CVE-2021-26084 was now being targeted in the wild.
“I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania,” Mursch said. “Multiple proof-of-concepts have been published publicly demonstrating how to exploit this vulnerability.”
Administrators are being urged to update any on-premises versions of Atlassian’s Confluence Server collaboration software as hackers have now descended on the critical security flaw. Cloud-hosted versions of Confluence Server are not vulnerable to attack, Atlassian said.
According to Atlassian, the bug normally requires the attacker to be logged into the network to exploit, but under some circumstances, servers can be remotely exploited without any authentication.
I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania. Troy MurschChief research officer, Bad Packets
In a demonstration of the flaw, researcher Harsh Jaiswal showed how the bug could be exploited to gain remote code execution.
“From our understanding & debugging we came to this conclusion: Attributes of #tag components within Velocity template are evaluated as OGNL Expressions to convert the template into HTML,” Jaiswal wrote.
For administrators, this means that getting the flaw patched as soon as possible is imperative. In some cases, Mursch said, it may already be too late. While Bad Packets doesn’t have an estimate on the number of vulnerable servers in the wild, the sheer volume of activity against the flaw should make the update a priority.
“Organizations using the on-premises version of Confluence need to immediately apply the update provided by Atlassian and check their servers for any indicators of compromise,” said Mursch.
“Given the level of scanning of exploit activity we’ve detected so far today, any unpatched servers are at immediate risk of compromise.”
It has been reported that data from over 500 million LinkedIn users are being sold online to hackers, marking the second major cybersecurity incident to be revealed in the past week, following news of a similar occurrence involving Facebook. The trove of scraped LinkedIn data includes user IDs, full names, email addresses, phone numbers, professional…
MobiKwik CEO Bipin Preet Singh on Tuesday said the company is investigating claims of some users that their data was available on the dark web. He said the company would get a third party to conduct a forensic data security audit. Responding to reports of a massive data breach in MobiKwik’s servers, Singh came…
Technical details have emerged on a serious vulnerability in Microsoft Exchange Server dubbed ProxyToken that does not require authentication to access emails from a target account. An attacker can exploit the vulnerability by crafting a request to web services within the Exchange Control Panel (ECP) application and steal messages from a victim’s inbox. Delegation confusion…
The world’s largest meat processor said on Wednesday that it paid an $11 million ransom in Bitcoin to the hackers behind an attack that forced the shutdown last week of all the company’s U.S. beef plants and disrupted operations at poultry and pork plants. The company, JBS, said in a statement that the decision to…
Google intervened to remove nine Android apps downloaded more than 5.8 million times from the company’s Play Store after the apps were caught furtively stealing users’ Facebook login credentials. “The applications were fully functional, which was supposed to weaken the vigilance of potential victims. With that, to access all of the apps’ functions and, allegedly,…
An emergency alert from enterprise security firm Rapid7 notes that its systems were affected during the recent cyberattack on Codecov’s supply chain, a tool for code test analysis. The company confirmed that a set of sensitive data from its customers was compromised due to the attack. In its message, Rapid7 notes that a small subset…
