A critical vulnerability in Atlassian’s Confluence Server software is now under active attack.
Disclosed last week by Atlassian, CVE-2021-26084 is a remote code execution bug that is considered a critical security risk by the vendor. The flaw, which was rated a 9.8 on the CVSS scale, is due to an injection bug in the open source Object-Graph Navigation Language (OGNL) discovered and reported by security researcher Benny Jacob through Atlassian’s bug bounty program.
Troy Mursch, chief research officer with threat intelligence vendor Bad Packets, confirmed to SearchSecurity that CVE-2021-26084 was now being targeted in the wild.
“I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania,” Mursch said. “Multiple proof-of-concepts have been published publicly demonstrating how to exploit this vulnerability.”
Administrators are being urged to update any on-premises versions of Atlassian’s Confluence Server collaboration software as hackers have now descended on the critical security flaw. Cloud-hosted versions of Confluence Server are not vulnerable to attack, Atlassian said.
According to Atlassian, the bug normally requires the attacker to be logged into the network to exploit, but under some circumstances, servers can be remotely exploited without any authentication.
I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania. Troy MurschChief research officer, Bad Packets
In a demonstration of the flaw, researcher Harsh Jaiswal showed how the bug could be exploited to gain remote code execution.
“From our understanding & debugging we came to this conclusion: Attributes of #tag components within Velocity template are evaluated as OGNL Expressions to convert the template into HTML,” Jaiswal wrote.
For administrators, this means that getting the flaw patched as soon as possible is imperative. In some cases, Mursch said, it may already be too late. While Bad Packets doesn’t have an estimate on the number of vulnerable servers in the wild, the sheer volume of activity against the flaw should make the update a priority.
“Organizations using the on-premises version of Confluence need to immediately apply the update provided by Atlassian and check their servers for any indicators of compromise,” said Mursch.
“Given the level of scanning of exploit activity we’ve detected so far today, any unpatched servers are at immediate risk of compromise.”
3rd Party Risk Management , Governance & Risk Management , IT Risk Management NIST, CISA Highlight Key Steps to Take Akshaya Asokan (asokan_akshaya) • April 28, 2021 The U.S. Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology have released a report providing insights on how to enhance supply…
Governance & Risk Management , IT Risk Management GAO Offers Recommendations to Improve Space Agency’s Cyber Protections Scott Ferguson (Ferguson_Writes) • June 29, 2021 Photo: NASA via Flickr/CC A government watchdog is urging NASA‘s administrator to make multiple improvements to its cybersecurity and risk management policies to counter threats to the space agency’s…
The New York Department of Financial Services (NYDFS) has issued an alert to instant-quote websites, particularly car insurers, warning of a growing campaign to steal nonpublic information (NPI). The agency says it learned of the threat after receiving reports from auto insurers that cybercriminals were targeting their premium quote sites to steal driver’s license numbers….
You might notice there’s no question mark at the end of the title. That is intentional. In a May 18, 2021 Opinion article in The New York Times by Dr. Sema K. Sgaier, with the title: “Meet Four Kinds of People Holding Us Back from Full Vaccination,” which is available at Opinion | Meet the…
Specialists of the information security company Proofpoint spoke about a Chinese cybercriminal group that hacks into Gmail accounts using a browser extension. Cyber criminal group TA413 has been active for almost a decade and is usually associated by experts with the LuckyCat and ExileRAT malware, and its victims are mostly Tibetans. In early 2021, TA413…
Image: Shutterstock via Dennis Hacker states that they are “not very interested in money” Print Print Pro Read More: cryptocurrency cybersecurity Poly Network security The hacker behind what is considered to be the biggest cryptocurrency heist in history has now returned $342 million worth of stolen assets. This is according to Poly Network, a blockchain…
