Skip to content
The New Era of Internet Exposure: What It Means for Security Teams | Stream Now
Blog

CVE-2021-26084: Confluenza

Share

September 26, 2021

Introduction

Confluence is a widely deployed Wiki service used primarily in collaborative corporate environments. It has become the defacto standard for enterprise documentation over the last decade and is developed and licensed by Atlassian Corporation. While the majority of users run the managed service, many companies opt to deploy the software on-prem.

What is the Issue?

On August 25th, a vulnerability in Atlassian’s Confluence software was made public. A security researcher named SnowyOwl (Benny Jacob) found that an unauthenticated user could run arbitrary code by targetting HTML fields interpreted and rendered by the Object-Graph Navigation Language (OGNL). Yes, that is the same class of vulnerability used in the Equifax breach back in 2017.

The good news is that there were sanity checks in place to make sure that haxors couldn’t execute malicious code. The bad news is that those checks did not correctly escape Unicode encoded characters, and the statically defined denylist of “unwanted” code definitions was not enough. With a bit of elbow grease and time, SnowyOwl was able to break through all the Confluence defenses and handed us all this hot mess. Thanks, SnowyOwl.

“12,876 individual IPv4 hosts are running an exploitable version”

Just days before this vulnerability was made public, our historical data showed that the internet had over 14,637 exposed and vulnerable Confluence servers. Compare that to the current day, September 1st, where Censys identified 14,701 services that self-identified as a Confluence server, and of those, 13,596 ports and 12,876 individual IPv4 hosts are running an exploitable version of the software.

Censys was able to identify these vulnerable Confluence servers using a few data points found in the HTTP response from a running server:

  • The existence of an X-Confluence-Request-Time response header.
  • The value of the HTML meta tag: ajs-version-number

Curl output:

$ curl -v 'localhost:8090/login.action' 
* Connected to localhost (::1) port 8090 (#0)
> GET /login.action HTTP/1.1
> Host: localhost:8090
> User-Agent: curl/7.74.0
> Accept: */*
> 
< HTTP/1.1 200 
< Cache-Control: no-store
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Confluence-Request-Time: 1630540011363
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: frame-ancestors 'self'
< X-Accel-Buffering: no
< Content-Type: text/html;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Wed, 01 Sep 2021 23:46:51 GMT
​
.... snip ....
​
<meta name="ajs-use-keyboard-shortcuts" content="true">
<meta name="ajs-discovered-plugin-features" content="$discoveredList">
<meta name="ajs-keyboardshortcut-hash" content="14df3a3aac8b39c774b75ab7150d0558">
<meta name="ajs-team-calendars-display-time-format" content="displayTimeFormat12">
<meta name="ajs-is-confluence-admin" content="false">
<meta name="ajs-connection-timeout" content="10000">
<meta name="ajs-context-path" content="">
<meta name="ajs-base-url" content="http://localhost:8090">
<meta name="ajs-version-number" content="7.13.0">
<meta name="ajs-build-number" content="8703">
<meta name="ajs-remote-user" content="">
<meta name="ajs-remote-user-key" content="">

As news of this vulnerability spreads, Censys has seen little movement in remediating this vulnerability on a global scale. Since the public release of the exposure, only 1,041 instances have seen a version change to a non-vulnerable version. Below is a graph displaying the number of vulnerable instances by date.

Are we fully patched yet?

Atlassian, the owners of the Confluence software, have done a bang-up job detailing each specific version that is vulnerable to this exploit on their website. Below is a table that supplements Atlassian’s vulnerable-version table with a count of services Censys has identified.

Affected Versions Count
All 4.x.x versions 69
All 5.x.x versions 626
All 6.0.x versions 70
All 6.1.x versions 44
All 6.2.x versions 50
All 6.3.x versions 200
All 6.4.x versions 102
All 6.5.x versions 20
All 6.6.x versions 92
All 6.7.x versions 231
All 6.8.x versions 101
All 6.9.x versions 149
All 6.10.x versions 73
All 6.11.x versions 39
All 6.12.x versions 128
All 6.13.x versions before 6.13.23 541
All 6.14.x versions 266
All 6.15.x versions 2351
All 7.0.x versions 448
All 7.1.x versions 388
All 7.2.x versions 623
All 7.3.x versions 844
All 7.4.x versions before 7.4.11 2419
All 7.5.x versions 375
All 7.6.x versions 370
All 7.7.x versions 308
All 7.8.x versions 341
All 7.9.x versions 409
All 7.10.x versions 402
All 7.11.x versions before 7.11.6 515
All 7.12.x versions before 7.12.5 947

Update: 09-03-2021

Mass exploitation of this vulnerability is currently underway.

Over the last few days, Censys has seen a small shift in the number of vulnerable servers still running on the public internet. On August 31st, Censys identified 13,596 vulnerable Confluence instances, while on September 02, that number has decreased to 11,689 vulnerable instances.


Update: 09-05-2021

Over the last few days, Censys observed the number of vulnerable Confluence instances drop from 11,689 to 8,597 – a 3,092 difference since September 02, and a total of 5,965 since the vulnerability was made public on August 25th.

Update: 09-08-2021

The last sweep Censys conducted found that 8,119 vulnerable Confluence services are still running – a difference of 478. The following table is the top ten vulnerable versions that Censys was able to identify.

Version Count
6.15.2 330
7.4.0 286
6.15.4 271
7.4.6 235
7.2.0 194
7.4.8 186
6.15.9 179
6.7.1 174
7.9.3 160
6.15.7 157

Below is a geographical heatmap showing the (estimated) location of vulnerable Confluence services Censys has found over the last 24 hours.

Why does it matter?

An attacker can leverage this vulnerability to execute any command with the same permissions as the user-id running the service. An attacker can then use this access to gain elevated administrative permissions if the host has unpatched local vulnerabilities.

There is no way to put this lightly: this is bad. Initially, Atlassian stated this was only exploitable if a user had a valid account on the system; this was found to be incorrect and the advisory was updated today to reflect the new information. It’s only a matter of time before we start seeing active exploitation in the wild as there have already been working exploits found scattered about.

What do I do about it?

Since a mass-exploitation event is ongoing, Censys has decided to release a search query for finding open Confluence services. Readers should note that the results returned by public search will include both patched and unpatched services:

  • Censys ASM customers have been notified via email for any hosts that have been identified as vulnerable.
  • Follow the instructions on Atlassian’s webpage about this vulnerability.
  • Upgrade to version 7.13.0 (LTS) or higher.
    • For 6.13.x versions which cannot be upgraded to 7.13.0, upgrade to version 6.13.23
    • For 7.4.x versions which cannot be upgraded to 7.13.0, upgrade to version 7.4.11
    • For 7.11.x versions which cannot be upgraded to 7.13.0, upgrade to version 7.11.6
    • For 7.12.x versions which cannot be upgraded to 7.13.0, upgrade to version 7.12.5
  • If you are unable to upgrade to any of the prior versions, Atlassian has created a script that attempts to mitigate the issue:


Known Exploits

References

Please feel free to email [email protected] with any questions.

About the Author
Mark Ellzey
Senior Security Researcher All posts by Mark Ellzey
Mark Ellzey is a Senior Security Researcher at Censys. Before his current role, Mark has worked as both a network security engineer and software developer for several internet service providers and financial institutions for over 22 years.
Attack Surface Management Solutions
Learn more