CVE-2021-26084 is a vulnerability in Atlassian Confluence deployments across Windows and Linux. The flaw is critical, and has been exploited to deploy web shells causing the execution of cryptocurrency miners on vulnerable systems.
CVE-2021-26084: Critical Atlassian Confluence Vulnerability
According to Trend Micro’s Zero Day Initiative analysis, the issue is related to an Object-Graph Navigation Language (OGNL) injection in the Webwork module of Atlassian Confluence Server and Data Center. The vulnerability can be leveraged by remote attackers by sending a crafted HTTP requests with a malicious parameter to a vulnerable server. This could then lead to arbitrary code execution “in the security context of the affected server.”
What Is Atlassian Confluence?
Atlassian Confluence is a collaboration platform written primarily in Java and running on a bundled Apache Tomcat application server. The plarform helps users create content using spaces, pages, and blogs that other users can comment on and edit. By default, Confluence is accessible via HTTP on port 8090/TCP, Trend Micro noted.
As for the vulnerability, it resides in the Webwork module of Atlassian Confluence Server and Data Center. The issue comes from an insufficient validation of user-supplied input, causing the parser to evaluate rogue commands injected within the OGNL expressions.
Earlier this month, the U.S. Cyber Command issued alerts regarding the mass exploitation of CVE-2021-26084, followed by the flaw’s public disclosure in August.
To detect this attack, affected parties should monitor all HTTP traffic requests, where the path component of the request-URI contains one of the strings in the “URI path” column of a table featured in the report.
In July, another critical flaw in the Atlassian platform, in multiple versions of its Jira Data Center and Jira Service Management Data Center products, was revealed. The software engineering platform is used by 180,000 customers which were endangered by remote, unauthenticated attacks. The bug was tracked as CVE-2020-36239.