The Australian Cyber Security Centre (ACSC) has put out a warning for certain self-hosted versions of Atlassian Confluence which contain an exploit that allows hackers to execute arbitrary code and take control of servers.
According to Atlassian, which provided a warning of the exploit on 26 August after it was identified by Benny Jacob through the enterprise software vendor’s public bug bounty program, both Confluence Server and Data Centre are affected by the CVE-2021-26084 vulnerability.
Specifically, the versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5 are all affected.
The exploit operates via an Object Graph Navigation Library (OGNL) vulnerability that allows authenticated users, as well as unauthenticated users in some instances, to execute arbitrary code on a Confluence Server or Data Centre instance.
The ASCS flagged this exploit with a high alert level and claimed it can lead to hackers gaining full control of vulnerable servers. As such, it also said it is aware of scanning and attempted exploitation of the vulnerability.
Meanwhile, users that upgraded to versions 6.13.23, 7.11.6, 7.12.5, 7.13.0, and 7.4.11 are not affected, as the exploit has been fixed in these versions. Confluence Cloud users are also unaffected.
“Australian organisations who self-host Atlassian Confluence should identify any internet-facing instances of Confluence as a priority," the ACSC said. “Internal instances of Confluence should also be identified.”
To stop the exploit, Atlassian recommended for users upgrade to the latest Long Term Support release.
If Confluence is unable to be upgraded, the enterprise software vendor also provided temporary mitigation scripts for Confluence Servers and Data Centre Nodes for Microsoft Windows and Linux-based operating systems.
The exploitation of CVE-2021-26084 comes months after the vendor began emailing enterprise customers to patch CVE-2020-36239, a critical JIRA Data Center vulnerability that also enables remote attackers to execute arbitrary code on vulnerable servers, according to Bleeping Computer.