Alert Logic® is actively investigating a new OGNL injection vulnerability, CVE-2021-26084, in the Confluence Server and Data Center. This vulnerability allows both authenticated and unauthenticated users to execute arbitrary code on a Confluence Server or Data Center instance.
It is recommended for customers running versions outside of versions 6.13.23, 7.11.6, 7.12.5, 7.13.0, or 7.4.11 to upgrade to the listed versions. For more information about mitigation, refer to the Recommendations for Mitigation section in this article.
CVE-2021-26084 impacts users of the on-premises version of Confluence Server (Confluence Cloud customers are not affected). This vulnerability allows authenticated and unauthenticated users to gain full remote code execution. Atlassian has rated the severity level of this vulnerability as critical.
For more information, refer to the security advisory from Atlassian.
Alert Logic Coverage
Vulnerability Scanning: Alert Logic has released unauthenticated scan coverage to identify this vulnerability in protected assets.
Network IDS: Alert Logic has released IDS signatures to detect attacks targeted at exploiting this vulnerability. Exploit attempts for this vulnerability have been caught successfully in existing detection logic and have been generating incidents. Alert Logic is working to determine any variations that may occur and produce new logic, specific to this vulnerability, which would catch current and future variations.
Web Application Firewall: Alert Logic web application firewall signatures will detect attacks targeted at exploiting CVE-2021-26084. If the Alert Logic inline web application firewall is in Protect mode, it will also block these attacks. For customers running their WAF in Detect mode, a virtual patch specifically detecting this attack has also been released. The virtual patch can block this attack regardless of the WAF operating mode.
Log Management: At this time, it is not expected that log detection is appropriate for this threat; however, Alert Logic will continue this assessment.
Recommendations for Mitigation
Atlassian has released updates to remediate this vulnerability. It is recommended to apply updates to affected versions as soon as possible. The updates are available in the Confluence Server and Data Center Download Archives.
- If you are running an affected version, upgrade to version 7.13.0 (Long Term Support) or higher.
- If you are running 13.x versions and cannot upgrade to 7.13.0 (LTS), then upgrade to version 6.13.23.
- If you are running 4.x versions and cannot upgrade to 7.13.0 (LTS), then upgrade to version 7.4.11.
- If you are running 11.x versions and cannot upgrade to 7.13.0 (LTS), then upgrade to version 7.11.6.
- If you are running 12.x versions and cannot upgrade to 7.13.0 (LTS), then upgrade to version 7.12.5.
If you are not able to immediately apply an update, a workaround is also available in Atlassian’s security advisory under ‘Mitigation.’
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click FOLLOW at the top of this article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.