Blocking ads removes funding from us!
Researching and writing articles takes a lot of time. Operating our infrastructure costs money.
All of this is funded with advertising revenue.
We don't like advertising either - that's why we avoid annoying banners and pop-ups.
Please give us a chance and deactivate your adblocker!
Alternatively, you can support us here voluntarily.

Follow us:


Confluence with critical security gap: attackers can take over servers [+ demo]

from  David Wurm on September 08, 2021, 10:03 | Write a comment

Confluence logo
Image: Atlassian
(Post picture: © 2021 Atlassian)

We've been up here a lot lately TechnikNews reported about security vulnerabilities - it was only a few weeks ago Exchange, now there is the next one. This time it hits the Confluence wiki software from Atlassian. Due to a critical security gap, the entire server can be taken over with full access (possibly even as root). Admins should take action as soon as possible.

Admittedly - we are a little late: the security hole has been in place since August 25, 2021 public. In research we have now found numerous, unpatched servers after almost two weeks. So we see it as our responsibility to deliver in the form of an article. Atlassian itself classifies the vulnerability (CVE-2021-26084) as critical - attackers are already actively exploiting it.

Which versions of Confluence are affected?

Many versions of Confluence have this loophole on board. Specifically, it is about the version numbers 4.xx, 5.xx, 6.xx and 7.xx to 7.12.x - here it is irrelevant whether the server or data center variant is used. The version numbers 6.13.23, 7.4.11, 7.11.6, 7.12.5, 7.13.0 and all subsequent versions are not particularly affected. According to the relevant Jira ticket CONFSERVER-67940 the vulnerability was reported as early as the end of July 2021.

Import the current update or use an emergency patch

Updating Confluence can often be time-consuming. For this reason Atlassian provides a script (Linux/Windows) ready to patch exactly this loophole. This will be downloaded, then optionally the installation path of Confluence has to be adjusted, then the patch will be applied. Another option is to update directly Confluence 7.13.0which is already patched. In the following we show step-by-step how the workaround or quick patch is applied. Atlassian also provides for this these instructions is available for storage, management and analysis.

Confluence on Linux

  1. Shut down Confluence
  2. cve-2021-26084-update.sh Download script
  3. Edit the downloaded script and set INSTALLATION_DIRECTORY:
    INSTALLATION_DIRECTORY=/opt/atlassian/confluence
  4. Give execution authorization:
    chmod 700 cve-2021-26084-update.sh
  5. Execute with user who also owns the installation directory - the following command returns the owner of the installation path:
    ls -l /opt/atlassian/confluence | grep bin
  6. If, for example, "confluence" is listed as a user, switch to this:
    sudo su confluence
  7. Run script:
    ./cve-2021-26084-update.sh
  8. Now “Update completed!” Should appear
  9. Start the service again

Confluence on Windows

  1. Shut down Confluence
  2. cve-2021-26084-update.ps1 Download script
  3. Edit the downloaded script and set INSTALLATION_DIRECTORY:
    $INSTALLATION_DIRECTORY='C:\Program Files\Atlassian\Confluence'
  4. Open Windows PowerShell as administrator and run the script:
    Get-Content .\cve-2021-26084-update.ps1 | powershell.exe -noprofile -
  5. Now “Update completed!” Should appear
  6. Start the service again

Hackers can take over Confluence - not just that

If you haven't updated yet, the gate has been completely open for two weeks. So it could already be too late. If you also run Confluence as root user, an attacker could already have taken over the entire server (even unnoticed). If other services are running on this in addition to the wiki software, these probe easily accessed. Those who let the tool run alone in a container have better cards.

This is what an attacker takes over the server looks like

In our research we have found numerous installations that are still unpatched (!). Here we could in all cases proGot access without any problems and immediately contacted all the operators of these installations – naturally without causing any damage to the servers. In theory, we could have deleted, created, reloaded files and accessed other folders outside of the wiki software. That ProThe problem here: almost all installations had not created a dedicated user to run Confluence, but simply let the software run as root – probably for convenience. An example of what an attacker sees on an unsecured Confluence instance:

Confluence vulnerability server

Full access as root user to a Confluence system that we have “visited”. (Image: TechnikNews/Screenshot)

If we had been a potential attacker here, we could have done a lot of nonsense here with just a few commands. Admins should therefore be active as soon as possible - an unpatched server is almost the same as placing a server login directly on the Internet.

Recommendations for you

>> The best Amazon deals <

Tags:

David Wurm

Do that TechnikNews-Ding together with a great team since 2015. Works in the background on the server infrastructure and is also responsible for everything editorial. Is fascinated by current technology and enjoys blogging about everything digital. In his free time he can often be found developing webs, taking photographs or making radio.

David has already written 962 articles and left 382 comments.

Website | Facebook | Twitter | Insta | YouTube | PayPal coffee donation
notification settings
notifications about
guest
Your name, which will be shown publicly.
We will not publish your email address.

0 Comments
Inline feedback
View all comments
Reach your target audience! Advertise on TechnikNews
Reach your target audience! Advertise on TechnikNews
Cookie Consent with Real Cookie Banner