-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2021.2901.2
                 Confluence Security Advisory - 2021-08-25
                             8 September 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Atlassian Confluence Server and Data Center
Publisher:         Atlassian
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-26084  

Original Bulletin: 
   https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

Revision History:  September  8 2021: Advisory updated noting that this is being exploited in the wild
                   August    27 2021: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Confluence Server and Data Center - CVE-2021-26084 - Confluence Server Webwork
OGNL injection


Update: This advisory has been updated since its original publication.

Specific updates include:

  o The vulnerability is being actively exploited in the wild.
    Affected servers should be patched immediately.

  o The vulnerability is exploitable by unauthenticated users regardless of
    configuration.

  o Minor text changes to clarify how customers can identify if they are using
    Confluence Cloud

If you have already upgraded to a fixed version, there is no further action
required.

+--------------------+--------------------------------------------------------+
|      Summary       |CVE-2021-26084 - Confluence Server Webwork OGNL         |
|                    |injection                                               |
+--------------------+--------------------------------------------------------+
|  Advisory Release  |25th August 2021 10AM PDT (Pacific Time, -7 hours)      |
|        Date        |                                                        |
+--------------------+--------------------------------------------------------+
|                    |  o Confluence Server                                   |
|                    |                                                        |
|      Product       |  o Confluence Data Center                              |
|                    |                                                        |
|                    |Confluence Cloud customers are not affected.            |
+--------------------+--------------------------------------------------------+
|                    |  o All 4.x.x versions                                  |
|                    |  o All 5.x.x versions                                  |
|                    |  o All 6.0.x versions                                  |
|                    |  o All 6.1.x versions                                  |
|                    |  o All 6.2.x versions                                  |
|                    |  o All 6.3.x versions                                  |
|                    |  o All 6.4.x versions                                  |
|                    |  o All 6.5.x versions                                  |
|                    |  o All 6.6.x versions                                  |
|                    |  o All 6.7.x versions                                  |
|                    |  o All 6.8.x versions                                  |
|                    |  o All 6.9.x versions                                  |
|                    |  o All 6.10.x versions                                 |
|                    |  o All 6.11.x versions                                 |
|                    |  o All 6.12.x versions                                 |
| Affected versions  |  o All 6.13.x versions before 6.13.23                  |
|                    |  o All 6.14.x versions                                 |
|                    |  o All 6.15.x versions                                 |
|                    |  o All 7.0.x versions                                  |
|                    |  o All 7.1.x versions                                  |
|                    |  o All 7.2.x versions                                  |
|                    |  o All 7.3.x versions                                  |
|                    |  o All 7.4.x versions before 7.4.11                    |
|                    |  o All 7.5.x versions                                  |
|                    |  o All 7.6.x versions                                  |
|                    |  o All 7.7.x versions                                  |
|                    |  o All 7.8.x versions                                  |
|                    |  o All 7.9.x versions                                  |
|                    |  o All 7.10.x versions                                 |
|                    |  o All 7.11.x versions before 7.11.6                   |
|                    |  o All 7.12.x versions before 7.12.5                   |
+--------------------+--------------------------------------------------------+
|                    |  o 6.13.23                                             |
|                    |  o 7.4.11                                              |
|   Fixed versions   |  o 7.11.6                                              |
|                    |  o 7.12.5                                              |
|                    |  o 7.13.0                                              |
+--------------------+--------------------------------------------------------+
|     CVE ID(s)      |CVE-2021-26084                                          |
+--------------------+--------------------------------------------------------+

Summary of Vulnerability

This advisory discloses a critical severity security vulnerability. Confluence
Server and Data Center versions before version 6.13.23, from version 6.14.0
before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before
7.12.5 are affected by this vulnerability.

Confluence Cloud sites are not affected.

If your Confluence site is accessed via an atlassian.net domain, it is hosted
by Atlassian and you are not affected by the vulnerability.

Customers who have upgraded to versions 6.13.23, 7.11.6, 7.12.5, 7.13.0, or
7.4.11 are not affected.

Customers who have downloaded and installed any versions listed in the Affected
Versions section must upgrade their installations to fix this vulnerability. If
you are unable to upgrade immediately, apply the workaround detailed below
while you plan your upgrade.

CVE-2021-26084 - Confluence Server Webwork OGNL injection

Severity

This vulnerability is being actively exploited in the wild.
Affected servers should be patched immediately.

Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT
environment.

Description

An OGNL injection vulnerability exists that would allow an unauthenticated user
to execute arbitrary code on a Confluence Server or Data Center instance.

All versions of Confluence Server and Data Center prior to the fixed versions
listed above are affected by this vulnerability.

This issue can be tracked here:

CONFSERVER-67940 - Getting issue details... STATUS

Acknowledgements

The issue was discovered by Benny Jacob (SnowyOwl) via the Atlassian public bug
bounty program.

Fix

We have taken the following steps to address this issue:

  o Released versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0 which contain
    a fix for this issue.

What You Need to Do

Atlassian recommends that you upgrade to the latest Long Term Support release.
For a full description of the latest version, see the Confluence Server and
Data Center Release Notes. You can download the latest version from the
download centre.

If you are running an affected version upgrade to version 7.13.0 (LTS) or
higher.

If you are running 6.13.x versions and cannot upgrade to 7.13.0 (LTS) then
upgrade to version 6.13.23.

If you are running 7.4.x versions and cannot upgrade to 7.13.0 (LTS) then
upgrade to version 7.4.11.

If you are running 7.11.x versions and cannot upgrade to 7.13.0 (LTS) then
upgrade to version 7.11.6.

If you are running 7.12.x versions and cannot upgrade to 7.13.0 (LTS) then
upgrade to version 7.12.5.

Mitigation

If you are unable to upgrade Confluence immediately, then as a temporary 
workaround, you can mitigate the issue by running the script below for the
Operating System that Confluence is hosted on.

 Confluence Server or Data Center Node running on Linux based Operating
System...

If you run Confluence in a cluster, you will need to repeat this process on
each node. You don't need to shut down the whole cluster.

 1. Shut down Confluence.

 2. Download the cve-2021-26084-update.sh to the Confluence Linux Server.

 3. Edit the cve-2021-26084-update.sh file and set INSTALLATION_DIRECTORY to
    your Confluence installation directory, for example:

    INSTALLATION_DIRECTORY=/opt/atlassian/confluence

 4. Save the file.

 5. Give the script execute permission.

    chmod 700 cve-2021-26084-update.sh

 6. Change to the Linux user that owns the files in the Confluence Installation
    directory, for example:

    $ ls -l /opt/atlassian/confluence | grep bin
    drwxr-xr-x 3 root root 4096 Aug 18 17:07 bin

    # In this first example, we change to the 'root' user
    # to run the workaround script

    $ sudo su root

    $ ls -l /opt/atlassian/confluence | grep bin
    drwxr-xr-x 3 confluence confluence 4096 Aug 18 17:07 bin

    # In this second example, we need to change to the 'confluence' user
    # to run the workaround script

    $ sudo su confluence

 7. Run the workaround script.

    $ ./cve-2021-26084-update.sh

 8. The expected output should confirm up to five files updated and end with:

    Update completed!

    The number of files updated will differ, depending on your Confluence
    version.

 9. Restart Confluence.

Remember, If you run Confluence in a cluster, make sure you run this script on
all of your nodes.

 Confluence Server or Data Center Node running on Microsoft Windows...

If you run Confluence in a cluster, you will need to repeat this process on
each node. You don't need to shut down the whole cluster.

 1. Shut down Confluence.

 2. Download the cve-2021-26084-update.ps1 to the Confluence Windows Server.

 3. Edit the cve-2021-26084-update.ps1 file and set the INSTALLATION_DIRECTORY.
    Replace Set_Your_Confluence_Install_Dir_Here with your Confluence
    installation directory, for example:

    $INSTALLATION_DIRECTORY='C:\Program Files\Atlassian\Confluence'

 4. Save the file.

 5. Open up a Windows PowerShell (use Run As Administrator).

 6. Due to PowerShell's default restrictive execution policy, run the
    PowerShell using this exact command:

    Get-Content .\cve-2021-26084-update.ps1 | powershell.exe -noprofile -

 7. The expected output should show the status of up to five files updated,
    encounter no errors (errors will usually show in red) and end with:

    Update completed!

    The number of files updated will differ, depending on your Confluence
    version.

 8. Restart Confluence.

Remember, if you run Confluence in a cluster, make sure you run this script on
all of your nodes.


Last modified on Sep 7, 2021

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYThHY+NLKJtyKPYoAQiGFw//Sh014Ew/saEgeRQe8Cv/v8Sukk5Ah7GJ
X7I3ZTUeNmWZFhCFOVLmXjBUTD2Fl3TltOkhh9vo6A8X0oKiKoFrqkK3HhNPLnon
Vp8LXAdZMFM5RClUIgWG/rkhmJZ+WJUfcvxxYss380k28a+FsdB9/0vM9VHCumL9
hmuYswsukmo+NFsxRJgXfak9DZf+v9SRdHSL6Nq6ae11i0ZGqQg9nuf+icfW1gkP
Ni92QxD+xcsBXRl7uZ8DjBdHCIvgfWzd2Fyvi66l7lw17gmxQgeGoLerIAjIysHM
96y61ISVSGfCJrh8Ln7LDZlAVN6oQyJngzL+b6sFvwyg9DRLvOvnoSigfvQloMk+
7QZY/auovtkCckizN57navIt1lMkiaQZKk0/xbOBDTWEQOcdg5CW6d8HUIqT/lI4
o7yt3TQbhpVSyUOYIOarceYNdPt3HJK64AUYKy3F6jOML2ZlGWg7NeyBltRiBJwr
FBZ3Ir27gWng2K8JOctKP4EpH2B01McX5XX2gPw+VigSGXcX/VaM8fbJSdNwwlAv
HKMprhUhHawTdCnxtMO9GLWtT6CoCp4TMlKpmslo1tWq4FuHlw+vHvQfmZD/HCLL
dVHNLMzJblUVjqlztqxxLXXBdmblYISqOn+NNUovOdsU5tnKcAAdXYUqdXgidRax
1GwhS5Sd70c=
=ysDL
-----END PGP SIGNATURE-----