Posted on September 6, 2021 at 4:23 PM
US Cybercom has revealed that a critical vulnerability in Atlassian’s Confluence Server software is now under attack. The vulnerability, known as CVE-2021-26084, was disclosed last week. The vendor considers the remote code execution bug a big security risk, as it is rated 9.8 on the CVSS scale.
US Cybercom says the exploitation of the vulnerability could be more expansive. “Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate,” US Cybercom stated. Leaders have also confirmed that they have seen the exploitation going in globally.
As a result, US Cybercome has warned IT teams in a public notice regarding the exploitation. It advised users to get a patch to the vulnerability as soon as possible to avoid being a victim of the exploitation.
The Bug Is Discovered In Old Versions Of The Confluence Server
An advisory about the vulnerability was released by Atlassian on August 25. The vendor explained that the vulnerability, with high severity, was discovered in some versions of the Confluence Server and Data Center.
The vendor warned that an OGNL injection flaw could enable an authenticated or unauthenticated user to execute arbitrary code on a data center or Confluence Server instance.
It added that all the versions of the Data Center or Confluence Server before the update was released are now vulnerable to exploitation.
The vendor further added that if they cannot update to the latest versions of the patch, there is another solution available.
According to the Atlassian security team, users that are affected can stay free from the exploit by running the Script close to the operating system that Confluence is being hosted. However, the bug does not affect the on-premises server hosted on the cloud.
Security Firms Warn About The Severity Of The Vulnerability
Different security experts have shown how threat actors can exploit the vulnerability, releasing proof of concepts to explain how it is possible.
In a blog post, security firm Censys stated that its team of researchers has discovered a slight increase in the number of vulnerabilities running on the public internet.
Censys stated that it identified about 13,500 vulnerable Confluence instances on August 31. Two days later, the number of vulnerable Confluence instances decreased to 11,689.
The firm stated that a lot of companies still decide to deploy the software on-prem even though most of the users run the managed service.
Security network, Bad Packet, stated that it discovered exploit and mass scanning from hosts in the US, Russia, Hong Kong, Brazil, Nepal, Romania, and Brazil. According to the researchers, the exploit activities were targeting Atlassian Confluence servers that are vulnerable to remote code execution.
The security researchers admitted that the vulnerability is very critical and it will be a big issue if threat actors become the first to automate scans for the exploit.
They added that, with the nature of Atlassian Confluence, there is a big possibility that the components are already exposed via the internet.
It makes it even more worrisome, as three actors no longer need internal network access to exploit the RCE vulnerability.
They warned that administrators should deploy the available patch as soon as possible while considering other mitigating actions by making sure there is no public access available to the Confluence server.
The vendor had never publicly released details of the exploit since it can equip a threat actor with the information they need to exploit the server. With cybercriminals already into action to detect the vulnerability and launch attacks on exposed systems, organizations have been asked to put on the security armor and do all they can to prevent any exploitation on their servers.
A Growing List Of Critical Vulnerabilities
The latest Confluence vulnerability has added to other vulnerabilities that have been exploited this year. As it stands, the level of successful exploitation of vulnerabilities has grown considerably as hackers intensify their efforts to compromise systems.
Atlassian initially stated that the vulnerability can be exploited only when the user has an active account on the system. But the statement is false, as has been discovered recently by the vendor and other researchers. The advisory has been updated with information regarding its patch and other preventive measures organizations can take.