Blocking ads removes funding from us!
Researching and writing articles takes a lot of time. Operating our infrastructure costs money.
All of this is funded with advertising revenue.
We don't like advertising either - that's why we avoid annoying banners and pop-ups.
Please give us a chance and deactivate your adblocker!
Alternatively, you can support us here voluntarily.
Language:  Deutsch English (Beta)

Follow us:

Confluence with critical security gap: attackers can take over servers [+ demo]

Confluence logo
Image: Atlassian
(Post picture: © 2021 Atlassian)

We've been up here a lot lately TechnikNews reported about security vulnerabilities - it was only a few weeks ago Exchange, now there is the next one. This time it hits the Confluence wiki software from Atlassian. Due to a critical security gap, the entire server can be taken over with full access (possibly even as root). Admins should take action as soon as possible.

Admittedly - we are a little late: the security hole has been in place since August 25, 2021 public. In research we have now found numerous, unpatched servers after almost two weeks. So we see it as our responsibility to deliver in the form of an article. Atlassian itself classifies the vulnerability (CVE-2021-26084) as critical - attackers are already actively exploiting it.

Which versions of Confluence are affected?

Many versions of Confluence have this loophole on board. Specifically, it is about the version numbers 4.xx, 5.xx, 6.xx and 7.xx to 7.12.x - here it is irrelevant whether the server or data center variant is used. The version numbers 6.13.23, 7.4.11, 7.11.6, 7.12.5, 7.13.0 and all subsequent versions are not particularly affected. According to the relevant Jira ticket CONFSERVER-67940 the vulnerability was reported as early as the end of July 2021.

Import the current update or use an emergency patch

Updating Confluence can often be time-consuming. For this reason Atlassian provides a script (Linux/Windows) ready to patch exactly this loophole. This will be downloaded, then optionally the installation path of Confluence has to be adjusted, then the patch will be applied. Another option is to update directly Confluence 7.13.0which is already patched. In the following we show step-by-step how the workaround or quick patch is applied. Atlassian also provides for this these instructions are available.

Confluence on Linux

  1. Shut down Confluence
  2. cve-2021-26084-update.sh Download script
  3. Edit the downloaded script and set INSTALLATION_DIRECTORY:
    INSTALLATION_DIRECTORY=/opt/atlassian/confluence
  4. Give execution authorization:
    chmod 700 cve-2021-26084-update.sh
  5. Execute with user who also owns the installation directory - the following command returns the owner of the installation path:
    ls -l /opt/atlassian/confluence | grep bin
  6. If, for example, "confluence" is listed as a user, switch to this:
    sudo su confluence
  7. Run script:
    ./cve-2021-26084-update.sh
  8. Now “Update completed!” Should appear
  9. Start the service again

Confluence on Windows

  1. Shut down Confluence
  2. cve-2021-26084-update.ps1 Download script
  3. Edit the downloaded script and set INSTALLATION_DIRECTORY:
    $INSTALLATION_DIRECTORY='C:\Program Files\Atlassian\Confluence'
  4. Open Windows PowerShell as administrator and run the script:
    Get-Content .\cve-2021-26084-update.ps1 | powershell.exe -noprofile -
  5. Now “Update completed!” Should appear
  6. Start the service again

Hackers can take over Confluence - not just that

If you haven't updated yet, the gate has been completely open for two weeks. So it could already be too late. If you also run Confluence as the root user, an attacker could already have taken over the entire server (even unnoticed). If other services are running on this in addition to the wiki software, they can be accessed without any problems. If you let the tool run in isolation in a container, you have better cards.

This is what an attacker takes over the server looks like

In our research we found numerous, still unpatched (!) Installations. We were able to gain access here without any problems in all cases and contacted all operators of these installations - without causing damage to the servers, of course. In theory, we could have deleted, created, reloaded files, and accessed other folders outside of the wiki software. The problem here: almost all installations did not have a dedicated user to run Confluence, but simply let the software run as root - probably as a convenience. An example of what an attacker sees on an unsecured Confluence instance:

Confluence vulnerability server

Full access as root user to a Confluence system that we have “visited”. (Image: TechnikNews/Screenshot)

If we had been a potential attacker here, we could have done a lot of nonsense here with just a few commands. Admins should therefore be active as soon as possible - an unpatched server is almost the same as placing a server login directly on the Internet.

Recommendations for you

>> Support us by purchasing from Amazon <

David Wurm

Do that TechnikNews-Ding together with a great team for several years. Works in the background on the server infrastructure and is also responsible for everything editorial. Is fascinated by current technology and likes to blog about everything digital. In his free time, he can often be found developing websites, taking photos or making radio.

David has already written 865 articles and left 348 comments.

Web | Facebook | Twitter | Insta | YouTube
Mail: david.wurm | at |techniknews.net | please NOT for general inquiries, cooperations! This way: Contact
guest
Your name, which will be shown publicly.
We will not publish your email address.
0 Comments
Inline feedback
View all comments
Cookie Consent with Real Cookie Banner