Atlassian Confluence Server OGNL Injection (CVE-2021-26084)

Introduction

CVE-2021-26084, a critical vulnerability (CVSS score 9.8) in Atlassian Confluence Server and Confluence Data Center, is currently being actively and widely exploited by threat actors.

Initially reported [1] on July 27, 2021 by a researcher named Benny Jacob (SnowyOwl) via Atlassian’s public bug bounty program, this critical vulnerability relates to an Object-Graph Navigation Language (OGNL) injection that could allow remote code execution by an authenticated user, and in some instances an unauthenticated user.

Following the release of multiple proof-of-concepts (PoC) demonstrating exploitation, multiple national CERTs, including the United States Cyber Command (USCYBERCOM), have released alerts (Figure 1) urging organizations to patch immediately.

Figure 1 - USCYBERCOM Cybersecurity Alert (https://twitter.com/CNMF_CyberAlert/status/1433787671785185283)

Given the high criticality of this vulnerability, and the fact that this incident coincides with upcoming national holidays in multiple countries, Cyberint Research reiterate the advice that those using Atlassian Confluence take action sooner rather than later.

Impact

Whilst resolved by Atlassian with the release of a hotfix and security advisory [2] on August 25, 2021, the publication of details regarding this vulnerability have enabled security researchers, and no doubt nefarious actors, to analyze the hotfix leading to the creation of working proof-of-concept exploits [3].

Given that there is often a time lag between a hotfix being released and subsequently applied by affected organizations, a situation like the current arises with reports, as of September 3, 2021, confirming that Atlassian Confluence Server and Confluence Data Center installations are being widely and actively exploited.

This period of exploitation likely followed some broad scanning activity in which potentially vulnerable hosts were identified.

Although it in some cases the attacker requires authenticated access, such as by obtaining and abusing some legitimate user’s credentials, Confluence installations that have the ‘Allow people to sign up to create their account’ option enabled can by exploited by an unauthenticated and unprivileged user.

Based on the POCs released, exploitation requires the threat actor to send a HTTP POST request that includes a specially crafted queryString value that includes commands for injection and execution on the vulnerable host.

One such example of this injection leading to remote code execution is the ability for a threat actor can gain access to an instance of the java.lang.Runtime class on a vulnerable host that leads to getRuntime() being invoked and the exec method being called with a string that executes some arbitrary command.

Affected versions of Atlassian Confluence Server and Confluence Data Center include:

• 4.x.x
• 5.x.x
• 6.x.x up-to but not including 6.13.23
• 6.14.0 up-to but not including 7.4.11
• 7.5.0 up-to but not including 7.11.6
• 7.12.0 up-to but not including 7.12.5

Cloud versions are not thought to be vulnerable as presumably these were patched directly by Atlassian.

Detection

Based on recently observed proof-of-concept (POC) code, HTTP POST requests sent to the following vulnerable endpoints may be indicative of exploitation attempts, especially where the queryString body includes unexpected content:

• /login
• /pages/createpage-entervariables.action
• /pages/templates2/viewpagetemplate.action
• /template/custom/content-editor
• /templates/editor-preload-container
• /users/user-dark-features

Whilst easily modifiable to meet a threat actor’s requirements, the following example queryString value [4] has been observed in recently published POC code:

queryString=aaa\u0027%2b#{\u0022\u0022[\u0022class\u0022].forName(\u0022javax.script.ScriptEngineManager\u0022).newInstance().getEngineByName(\u0022js\u0022).eval(\u0022var x=new java.lang.ProcessBuilder;x.command([\u0027/bin/bash\u0027,\u0027-c\u0027,\u0027'.$cmd.'\u0027]);x.start()\u0022)}%2b\u0027

Additionally, given the nature of the exploit, HTTP POST request headers may provide an opportunity for detection. Specifically, those containing unexpected User-Agent strings such as the command-line utilities curl and wget, or programming libraries such as Python’s ‘requests’.

As such, the following user-agent strings may be considered nefarious, albeit version numbers may vary depending on the threat actor:

• curl/7.72.0
• python-requests/2.25.1
• Wget/1.19.4 (linux-gnu)

Recommendations

• Organizations utilizing vulnerable versions of Confluence are urgently advised to update to the fixed versions as detailed in the Atlassian security advisory [2] as soon as possible:
  • 6.13.23
  • 7.4.11
  • 7.11.6
  • 7.12.5
  • 7.13.0
• Organizations utilizing older versions of Atlassian Confluence, such as 4.x.x and 5.x.x are advised to check with their support provider to determine if these products are still maintained and/or should be deployed in production environments.
• Consideration should be given to monitoring for unusual HTTP POST requests containing potentially dangerous queryString values and/or suspicious user-agent strings.
• To prevent unauthorized access to Atlassian Confluence hosts, and therefore prevent unauthenticated exploit attempts, consider requiring users to first authenticate and connect to a VPN.
• Consideration should also be given as to need for the ‘Allow people to sign up to create their account‘ option that can allow unauthenticated users to create accounts. The status of this option can be confirmed via the Confluence settings within the ‘User Management‘ section under ‘User Signup Options‘.