Confluence with critical security gap: attackers can take over servers [+ demo]
We've been up here a lot lately TechnikNews reported about security vulnerabilities - it was only a few weeks ago Exchange, now there is the next one. This time it hits the Confluence wiki software from Atlassian. Due to a critical security gap, the entire server can be taken over with full access (possibly even as root). Admins should take action as soon as possible.
Admittedly - we are a little late: the security hole has been in place since August 25, 2021 public. In research we have now found numerous, unpatched servers after almost two weeks. So we see it as our responsibility to deliver in the form of an article. Atlassian itself classifies the vulnerability (CVE-2021-26084) as critical - attackers are already actively exploiting it.
Jump to section
Which versions of Confluence are affected?
Many versions of Confluence have this loophole on board. Specifically, it is about the version numbers 4.xx, 5.xx, 6.xx and 7.xx to 7.12.x - here it is irrelevant whether the server or data center variant is used. The version numbers 6.13.23, 7.4.11, 7.11.6, 7.12.5, 7.13.0 and all subsequent versions are not particularly affected. According to the relevant Jira ticket CONFSERVER-67940 the vulnerability was reported as early as the end of July 2021.
Import the current update or use an emergency patch
Updating Confluence can often be time-consuming. For this reason Atlassian provides a script (Linux/Windows) ready to patch exactly this loophole. This will be downloaded, then optionally the installation path of Confluence has to be adjusted, then the patch will be applied. Another option is to update directly Confluence 7.13.0which is already patched. In the following we show step-by-step how the workaround or quick patch is applied. Atlassian also provides for this these instructions is available for storage, management and analysis.
Confluence on Linux
- Shut down Confluence
- cve-2021-26084-update.sh Download script
- Edit the downloaded script and set INSTALLATION_DIRECTORY:
INSTALLATION_DIRECTORY=/opt/atlassian/confluence
- Give execution authorization:
chmod 700 cve-2021-26084-update.sh
- Execute with user who also owns the installation directory - the following command returns the owner of the installation path:
ls -l /opt/atlassian/confluence | grep bin
- If, for example, "confluence" is listed as a user, switch to this:
sudo su confluence
- Run script:
./cve-2021-26084-update.sh
- Now “Update completed!” Should appear
- Start the service again
Confluence on Windows
- Shut down Confluence
- cve-2021-26084-update.ps1 Download script
- Edit the downloaded script and set INSTALLATION_DIRECTORY:
$INSTALLATION_DIRECTORY='C:\Program Files\Atlassian\Confluence'
- Open Windows PowerShell as administrator and run the script:
Get-Content .\cve-2021-26084-update.ps1 | powershell.exe -noprofile -
- Now “Update completed!” Should appear
- Start the service again
Hackers can take over Confluence - not just that
If you haven't updated yet, the gate has been completely open for two weeks. So it could already be too late. If you also run Confluence as root user, an attacker could already have taken over the entire server (even unnoticed). If other services are running on this in addition to the wiki software, these probe easily accessed. Those who let the tool run alone in a container have better cards.
This is what an attacker takes over the server looks like
In our research we have found numerous installations that are still unpatched (!). Here we could in all cases proGot access without any problems and immediately contacted all the operators of these installations – naturally without causing any damage to the servers. In theory, we could have deleted, created, reloaded files and accessed other folders outside of the wiki software. That ProThe problem here: almost all installations had not created a dedicated user to run Confluence, but simply let the software run as root – probably for convenience. An example of what an attacker sees on an unsecured Confluence instance:
If we had been a potential attacker here, we could have done a lot of nonsense here with just a few commands. Admins should therefore be active as soon as possible - an unpatched server is almost the same as placing a server login directly on the Internet.