Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2901.2 Confluence Security Advisory - 2021-08-25 8 September 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Atlassian Confluence Server and Data Center Publisher: Atlassian Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-26084 Original Bulletin: https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html Revision History: September 8 2021: Advisory updated noting that this is being exploited in the wild August 27 2021: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Confluence Server and Data Center - CVE-2021-26084 - Confluence Server Webwork OGNL injection Update: This advisory has been updated since its original publication. Specific updates include: o The vulnerability is being actively exploited in the wild. Affected servers should be patched immediately. o The vulnerability is exploitable by unauthenticated users regardless of configuration. o Minor text changes to clarify how customers can identify if they are using Confluence Cloud If you have already upgraded to a fixed version, there is no further action required. +--------------------+--------------------------------------------------------+ | Summary |CVE-2021-26084 - Confluence Server Webwork OGNL | | |injection | +--------------------+--------------------------------------------------------+ | Advisory Release |25th August 2021 10AM PDT (Pacific Time, -7 hours) | | Date | | +--------------------+--------------------------------------------------------+ | | o Confluence Server | | | | | Product | o Confluence Data Center | | | | | |Confluence Cloud customers are not affected. | +--------------------+--------------------------------------------------------+ | | o All 4.x.x versions | | | o All 5.x.x versions | | | o All 6.0.x versions | | | o All 6.1.x versions | | | o All 6.2.x versions | | | o All 6.3.x versions | | | o All 6.4.x versions | | | o All 6.5.x versions | | | o All 6.6.x versions | | | o All 6.7.x versions | | | o All 6.8.x versions | | | o All 6.9.x versions | | | o All 6.10.x versions | | | o All 6.11.x versions | | | o All 6.12.x versions | | Affected versions | o All 6.13.x versions before 6.13.23 | | | o All 6.14.x versions | | | o All 6.15.x versions | | | o All 7.0.x versions | | | o All 7.1.x versions | | | o All 7.2.x versions | | | o All 7.3.x versions | | | o All 7.4.x versions before 7.4.11 | | | o All 7.5.x versions | | | o All 7.6.x versions | | | o All 7.7.x versions | | | o All 7.8.x versions | | | o All 7.9.x versions | | | o All 7.10.x versions | | | o All 7.11.x versions before 7.11.6 | | | o All 7.12.x versions before 7.12.5 | +--------------------+--------------------------------------------------------+ | | o 6.13.23 | | | o 7.4.11 | | Fixed versions | o 7.11.6 | | | o 7.12.5 | | | o 7.13.0 | +--------------------+--------------------------------------------------------+ | CVE ID(s) |CVE-2021-26084 | +--------------------+--------------------------------------------------------+ Summary of Vulnerability This advisory discloses a critical severity security vulnerability. Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5 are affected by this vulnerability. Confluence Cloud sites are not affected. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and you are not affected by the vulnerability. Customers who have upgraded to versions 6.13.23, 7.11.6, 7.12.5, 7.13.0, or 7.4.11 are not affected. Customers who have downloaded and installed any versions listed in the Affected Versions section must upgrade their installations to fix this vulnerability. If you are unable to upgrade immediately, apply the workaround detailed below while you plan your upgrade. CVE-2021-26084 - Confluence Server Webwork OGNL injection Severity This vulnerability is being actively exploited in the wild. Affected servers should be patched immediately. Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description An OGNL injection vulnerability exists that would allow an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability. This issue can be tracked here: CONFSERVER-67940 - Getting issue details... STATUS Acknowledgements The issue was discovered by Benny Jacob (SnowyOwl) via the Atlassian public bug bounty program. Fix We have taken the following steps to address this issue: o Released versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0 which contain a fix for this issue. What You Need to Do Atlassian recommends that you upgrade to the latest Long Term Support release. For a full description of the latest version, see the Confluence Server and Data Center Release Notes. You can download the latest version from the download centre. If you are running an affected version upgrade to version 7.13.0 (LTS) or higher. If you are running 6.13.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 6.13.23. If you are running 7.4.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.4.11. If you are running 7.11.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.11.6. If you are running 7.12.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.12.5. Mitigation If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the issue by running the script below for the Operating System that Confluence is hosted on. Confluence Server or Data Center Node running on Linux based Operating System... If you run Confluence in a cluster, you will need to repeat this process on each node. You don't need to shut down the whole cluster. 1. Shut down Confluence. 2. Download the cve-2021-26084-update.sh to the Confluence Linux Server. 3. Edit the cve-2021-26084-update.sh file and set INSTALLATION_DIRECTORY to your Confluence installation directory, for example: INSTALLATION_DIRECTORY=/opt/atlassian/confluence 4. Save the file. 5. Give the script execute permission. chmod 700 cve-2021-26084-update.sh 6. Change to the Linux user that owns the files in the Confluence Installation directory, for example: $ ls -l /opt/atlassian/confluence | grep bin drwxr-xr-x 3 root root 4096 Aug 18 17:07 bin # In this first example, we change to the 'root' user # to run the workaround script $ sudo su root $ ls -l /opt/atlassian/confluence | grep bin drwxr-xr-x 3 confluence confluence 4096 Aug 18 17:07 bin # In this second example, we need to change to the 'confluence' user # to run the workaround script $ sudo su confluence 7. Run the workaround script. $ ./cve-2021-26084-update.sh 8. The expected output should confirm up to five files updated and end with: Update completed! The number of files updated will differ, depending on your Confluence version. 9. Restart Confluence. Remember, If you run Confluence in a cluster, make sure you run this script on all of your nodes. Confluence Server or Data Center Node running on Microsoft Windows... If you run Confluence in a cluster, you will need to repeat this process on each node. You don't need to shut down the whole cluster. 1. Shut down Confluence. 2. Download the cve-2021-26084-update.ps1 to the Confluence Windows Server. 3. Edit the cve-2021-26084-update.ps1 file and set the INSTALLATION_DIRECTORY. Replace Set_Your_Confluence_Install_Dir_Here with your Confluence installation directory, for example: $INSTALLATION_DIRECTORY='C:\Program Files\Atlassian\Confluence' 4. Save the file. 5. Open up a Windows PowerShell (use Run As Administrator). 6. Due to PowerShell's default restrictive execution policy, run the PowerShell using this exact command: Get-Content .\cve-2021-26084-update.ps1 | powershell.exe -noprofile - 7. The expected output should show the status of up to five files updated, encounter no errors (errors will usually show in red) and end with: Update completed! The number of files updated will differ, depending on your Confluence version. 8. Restart Confluence. Remember, if you run Confluence in a cluster, make sure you run this script on all of your nodes. Last modified on Sep 7, 2021 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYThHY+NLKJtyKPYoAQiGFw//Sh014Ew/saEgeRQe8Cv/v8Sukk5Ah7GJ X7I3ZTUeNmWZFhCFOVLmXjBUTD2Fl3TltOkhh9vo6A8X0oKiKoFrqkK3HhNPLnon Vp8LXAdZMFM5RClUIgWG/rkhmJZ+WJUfcvxxYss380k28a+FsdB9/0vM9VHCumL9 hmuYswsukmo+NFsxRJgXfak9DZf+v9SRdHSL6Nq6ae11i0ZGqQg9nuf+icfW1gkP Ni92QxD+xcsBXRl7uZ8DjBdHCIvgfWzd2Fyvi66l7lw17gmxQgeGoLerIAjIysHM 96y61ISVSGfCJrh8Ln7LDZlAVN6oQyJngzL+b6sFvwyg9DRLvOvnoSigfvQloMk+ 7QZY/auovtkCckizN57navIt1lMkiaQZKk0/xbOBDTWEQOcdg5CW6d8HUIqT/lI4 o7yt3TQbhpVSyUOYIOarceYNdPt3HJK64AUYKy3F6jOML2ZlGWg7NeyBltRiBJwr FBZ3Ir27gWng2K8JOctKP4EpH2B01McX5XX2gPw+VigSGXcX/VaM8fbJSdNwwlAv HKMprhUhHawTdCnxtMO9GLWtT6CoCp4TMlKpmslo1tWq4FuHlw+vHvQfmZD/HCLL dVHNLMzJblUVjqlztqxxLXXBdmblYISqOn+NNUovOdsU5tnKcAAdXYUqdXgidRax 1GwhS5Sd70c= =ysDL -----END PGP SIGNATURE-----