The information below was sent to U-M IT groups on September 3, 2021. It is intended for U-M IT staff who are responsible for university servers running Atlassian Confluence Server and Data Center.
Summary
A vulnerability has been discovered in Confluence Server and Data Center that could allow for remote code execution. Depending on the privileges associated with the instance, an attacker could view, change, or delete data. Widespread exploitation is known to be occurring, and is expected to increase quickly.
Problem
An OGNL injection could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can only be accessed if “Allow people to sign up to create their account” is enabled.
Affected Versions
-
Confluence Server and Data Center all versions prior to 6.13.23
-
Confluence Server and Data Center versions from 6.14.0 prior to 7.4.11
-
Confluence Server and Data Center versions from 7.5.0 prior to 7.11.6
-
Confluence Server and Data Center versions 7.12.x prior to 7.12.5
Action Items
-
Apply appropriate patches provided by Atlassian to vulnerable systems immediately.
-
If you are responsible for a Confluence instance that stores or processes sensitive data, please contact security@umich.edu as soon as possible.
-
Thoroughly examine systems running Confluence that allow connections from the internet — they may already be compromised.
-
Contact security@umich.edu if there is any reason to believe that a Confluence instance has been compromised.
Threats
US Cyber Command has reported mass exploitation of CVE-2021-26084 and anticipates accelerated attack volume.
Technical Details
Please see the Confluence Security Advisory for technical details of this vulnerability.
How We Protect U-M
-
ITS IA works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems. MiWorkspace, MiServer, and other ITS-managed systems and devices are updated as soon as possible after appropriate testing.
-
ITS IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
-
ITS IA provides vulnerability management guidance to the university.
Information for Users
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
-
Confluence Security Advisory - 2021-08-25, Atlassian, 8/26/21
-
CVE-2021-26084 Detail, National Vulnerability Database, 8/30/21
-
CVE-2021-26084, The MITRE Corporation, 9/3/21
-
Attackers are attempting to exploit recently patched Atlassian Confluence CVE-2021-26084 RCE, Security Affairs, 9/2/21