ALERT: Apply update for Confluence Server and Data Center vulnerability

09/03/2021

The information below was sent to U-M IT groups on September 3, 2021. It is intended for U-M IT staff who are responsible for university servers running Atlassian Confluence Server and Data Center.

Summary

A vulnerability has been discovered in Confluence Server and Data Center that could allow for remote code execution. Depending on the privileges associated with the instance, an attacker could view, change, or delete data. Widespread exploitation is known to be occurring, and is expected to increase quickly.

Problem

An OGNL injection could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can only be accessed if “Allow people to sign up to create their account” is enabled.

Affected Versions

  • Confluence Server and Data Center all versions prior to 6.13.23

  • Confluence Server and Data Center versions from 6.14.0 prior to 7.4.11

  • Confluence Server and Data Center versions from 7.5.0 prior to 7.11.6

  • Confluence Server and Data Center versions 7.12.x prior to 7.12.5

Action Items

  • Apply appropriate patches provided by Atlassian to vulnerable systems immediately.

  • If you are responsible for a Confluence instance that stores or processes sensitive data, please contact security@umich.edu as soon as possible.

  • Thoroughly examine systems running Confluence that allow connections from the internet — they may already be compromised.

  • Contact security@umich.edu if there is any reason to believe that a Confluence instance has been compromised.

Threats

US Cyber Command has reported mass exploitation of CVE-2021-26084 and anticipates accelerated attack volume.

Technical Details

Please see the Confluence Security Advisory for technical details of this vulnerability.

How We Protect U-M

  • ITS IA works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems. MiWorkspace, MiServer, and other ITS-managed systems and devices are updated as soon as possible after appropriate testing.

  • ITS IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.

  • ITS IA provides vulnerability management guidance to the university.

Information for Users

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.

References

Security