Well, I’m working on this video late. I had every intention of writing it last night, but something came up.
So this article is running a bit behind. However, this is an important topic today. A few weeks ago, Atlassian released a new vulnerability for Confluence that had been discovered and patched, with instructions to update as soon as possible.
These things happen, and while I updated my instances, I didn’t pay too much attention. That was until this past Friday when the U.S. Cyber Command posted a notification about this exploit being used in the wild.
So let’s change pace and look at Confluence, what this vulnerability is, and what you can do to ensure your instance is as safe as possible.
What is this?
If you haven’t heard, on August 25th, Atlassian released a Confluence Security Advisory outlining CVE-2021-26084. This exploit allows a remote attacker to run code on your Confluence Server or Data Center system without Authenticating. So basically, if an attacker has web access to your system, it’s now their system.
To be clear, a Remote Code Execution vulnerability is pretty much what it says. It allows an attacker to run whatever they want on your system – relatively unchecked. Initially, they will be limited to what the Confluence user on that system can do, but they can then exploit other vulnerabilities to escalate their privileges using this. Once they do that, they can change passwords or set up an account and login per usual. It’s the hacker equivalent to smashing a side window to unlock the front door.
I wanted to confirm how bad this is, so I had a friend who works in SecOps review the CVE, and he pulled no punches. This exploit is about as bad as it gets. To use his words, “That is an incredibly simple remote code execution.” Not the words you want to hear for a system that could hold all of your companies documentation.
To make matters worse, it looks like hackers are scanning and exploiting systems using this vulnerability en masse.
However, don’t feel completely safe just because your Confluence system is inside a firewall. A Hacker can easily use this kind of exploit to “pivot” – that is, move from one system to another – once a hacker gets inside the network. Looking at how the vulnerability works, I can imagine something like a Bad USB or Rubber Ducky easily being used to get within a network.
So I hope I’ve expressed that this is not a situation to play around with. I will discuss what you can do to protect yourself in a moment, but first, I want to cover how to know if your system has this vulnerability.
First off, if you are on Confluence Cloud, you are safe. This exploit only affects Confluence Server and Data Center.
That being said, the vast majority of Data Center and Server versions are affected. To quote Atlassian:
- All 4.x.x versions
- All 5.x.x versions
- All 6.0.x versions
- All 6.1.x versions
- All 6.2.x versions
- All 6.3.x versions
- All 6.4.x versions
- All 6.5.x versions
- All 6.6.x versions
- All 6.7.x versions
- All 6.8.x versions
- All 6.9.x versions
- All 6.10.x versions
- All 6.11.x versions
- All 6.12.x versions
- All 6.13.x versions before 6.13.23
- All 6.14.x versions
- All 6.15.x versions
- All 7.0.x versions
- All 7.1.x versions
- All 7.2.x versions
- All 7.3.x versions
- All 7.4.x versions before 7.4.11
- All 7.5.x versions
- All 7.6.x versions
- All 7.7.x versions
- All 7.8.x versions
- All 7.9.x versions
- All 7.10.x versions
- All 7.11.x versions before 7.11.6
- All 7.12.x versions before 7.12.5
That…is not a small list. And I think that is what makes it so scary. Unless you are on one of the latest updates, you’re going to have a problem.
What can I do to protect myself?
So we’ve established that yes, this is a problem, and also established who is affected. So now comes to the part you want to know: What Can I do about it?
As of the publishing of the Vulnerability, Atlassian had several fixed versions available. I very much encourage you to upgrade to one of these versions as soon as possible:
I should stress this is the best solution. However, upgrades are messy, time-consuming, and not always something you can turn around quickly. Meanwhile, this exploit is being used. What do you do then?
Thankfully, Atlassian had the foresight to prepare for this and has provided a couple of scripts (one for Linux, one for Windows) that will fix this vulnerability. However, I should note that this is a stopgap, and you should still work to upgrade as soon as possible. If you need to run these scripts, you can find detailed instructions on the Security Advisory.
Well, that’s it for this week.
I know today’s post is shorter than most, but you can thank thunderstorms for that. However, I feel this is important for you to be aware of, so I wanted to let you know.
As always, you can find my social media links on my Linktree, where I post events, updates, and news from around the Atlassian Community. You can also subscribe below to get new posts delivered directly to your inbox!
Also, as a reminder, we have JiraCon’21 coming up in just under a month, where I will be talking about why I feel a career as an Atlassian Admin is still a great choice and what you can do to future-proof your career. As a special bonus, the first 15 people to use code TheJiraGuy15 at checkout will get 30% off their JiraCon admission. You can sign up at http://jiracon.trundl.com, and I will see you there!
But until next time, my name is Rodney, asking, “Have you updated your Jira issues today?”