[BreachExchange] Recently Patched Confluence Vulnerability Abused in the Wild

[Sophia Kingsbury]

https://www.ehackingnews.com/2021/09/recently-patched-confluence.html

A significant vulnerability in Confluence's team collaboration server
software is on the edge of exploitation after the company released the
patch a week ago.

Threat actors were found abusing the major vulnerability tracked as
CVE-2021-26084 which affects Confluence Server and Confluence Data Center
software, which is often installed on Confluence self-hosted project
management, wiki, and team communication platforms.

The vulnerability is hidden in OGNL (Object-Graph Navigation Language), a
basic scripting language for interfacing with Java code, which is the
fundamental technology used to build most Confluence software.

When Atlassian released the fix on August 25, the firm that owns the
Confluence software family, stated the vulnerability could be used by
threat actors to circumvent authentication and implant malicious OGNL
instructions that allow attackers to take control of the system.

As an outcome, the vulnerability received a severity rating of 9.8 out of
10, indicating that it could be exploited remotely over the internet and
building a weaponized exploit would be relatively simple.

Exploitation begins a week after fixes are released

Attackers and professional bug bounty hunters are investigating Confluence
systems for functionalities vulnerable to CVE-2021-26084 exploits,
according to Vietnamese security researcher Tuan Anh Nguyen, who stated on
Tuesday that widespread scans for Confluence servers are already ongoing.

Soon after the issue was discovered in the open, two security researchers,
Rahul Maini and Harsh Jaiswal released a detailed explanation of the flaw
on GitHub, along with various proof-of-concept payloads. Maini explained
the procedure of creating the CVE-2021-26084 attack as “relatively simpler
than expected,” thus proving the bug's high severity level of 9.8.

Confluence is a widely used team collaboration software among some of the
world's top businesses, and the CVE-2021-26084 vulnerability is highly
effective from a threat actor's standpoint, criminal gangs are anticipated
to increase their assaults in the next few days.

As Confluence flaws have previously been widely weaponized, a similar
exploitation strategy is probable this time.

Atlassian states that Confluence is used by over 60,000 clients, including
Audi, Hubspot, NASA, LinkedIn, Twilio, and Docker, according to its website.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210903/f8054215/attachment.html>