Urgent: Critical Security Vulnerability for Confluence Server and Data Center – OGNL Injection

On Wednesday August 25, 2021, Atlassian announced a critical severity security advisory; Confluence Server and Data Center versions are affected by this vulnerability.

Confluence Cloud customers are not affected.

Customers who have upgraded  to versions 6.13.23, 7.11.6, 7.12.5, 7.13.0, or 7.4.11 are not affected.

Description of Vulnerability

An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.

What You Need To Know…

Versions affected:

Confluence Server and Data Center

  • All 4.x.x versions
  • All 5.x.x versions
  • All 6.0.x versions
  • All 6.1.x versions
  • All 6.2.x versions
  • All 6.3.x versions
  • All 6.4.x versions
  • All 6.5.x versions
  • All 6.6.x versions
  • All 6.7.x versions
  • All 6.8.x versions
  • All 6.9.x versions
  • All 6.10.x versions
  • All 6.11.x versions
  • All 6.12.x versions
  • All 6.13.x versions before 6.13.23
  • All 6.14.x versions
  • All 6.15.x versions
  • All 7.0.x versions
  • All 7.1.x versions
  • All 7.2.x versions
  • All 7.3.x versions
  • All 7.4.x versions before 7.4.11
  • All 7.5.x versions
  • All 7.6.x versions
  • All 7.7.x versions
  • All 7.8.x versions
  • All 7.9.x versions
  • All 7.10.x versions
  • All 7.11.x versions before 7.11.6
  • All 7.12.x versions before 7.12.5

Versions already fixed:

Confluence Server and Data Center

  • 6.13.23
  • 7.4.11
  • 7.11.6
  • 7.12.5
  • 7.13.0

Confluence Cloud customers are not affected.

Recommended action: 

Atlassian recommends that you upgrade to the latest Long Term Support release. For a full description of the latest version, see the Confluence Server and Data Center Release Notes. You can download the latest version from the download center.

If you are running an affected version upgrade to version 7.13.0 (LTS) or higher.

If you are running 6.13.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 6.13.23.

If you are running 7.4.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.4.11.

If you are running 7.11.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.11.6.

If you are running 7.12.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.12.5.

Mitigation

If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the issue by running the script below for the Operating System that Confluence is hosted on.

Confluence Server or Data Center Node running on Linux based Operating System

  1. Shut down Confluence.
  2. Download the cve-2021-26084-update.sh to the Confluence Linux Server.
  3. Edit the cve-2021-26084-update.sh file and set INSTALLATION_DIRECTORY to your Confluence installation directory, for example:
    INSTALLATION_DIRECTORY=/opt/atlassian/confluence
  4. Save the file.
  5. Give the script execute permission.
    chmod 700 cve-2021-26084-update.sh
  6. Change to the Linux user that owns the files in the Confluence Installation directory, for example:
    $ ls -l /opt/atlassian/confluence | grep bin
    drwxr-xr-x  3 root       root   4096 Aug 18 17:07 bin
    # In this first example, we change to the 'root' user to run the workaround script
    $ sudo su root
    $ ls -l /opt/atlassian/confluence | grep bin
    drwxr-xr-x  3 confluence    confluence   4096 Aug 18 17:07 bin
    # In this second example, we need to change to the 'confluence' user to run the workaround script
    $ sudo su confluence
  7. Run the workaround script.
    $ ./cve-2021-26084-update.sh
  8. The expected output should confirm up to five files updated and end with:
    Update completed!

    The number of files updated will differ, depending on your Confluence version.

  9. Restart Confluence.

If you run Confluence in a cluster, make sure you run this script on all of your nodes.

Confluence Server or Data Center Node running on Microsoft Windows

  1. Shut down Confluence.
  2. Download the cve-2021-26084-update.ps1 to the Confluence Windows Server.
  3. Edit the cve-2021-26084-update.ps1 file and set the INSTALLATION_DIRECTORY.Replace Set_Your_Confluence_Install_Dir_Here with your Confluence installation directory, for example:
    $INSTALLATION_DIRECTORY='C:\Program Files\Atlassian\Confluence'
  4. Save the file.
  5. Open up a Windows PowerShell (use Run As Administrator)
  6. Due to PowerShell’s default restrictive execution policy, run the PowerShell using this exact command:
    Get-Content .\cve-2021-26084-update.ps1 | powershell.exe -noprofile -
  7. The expected output should show the status of up to five files updated, encounter no errors (errors will usually show in red) and end with:
    Update completed!

    The number of files updated will differ, depending on your Confluence version.

  8. Start Confluence.

If you run Confluence in a cluster, make sure you run this script on all of your nodes.

Need help with this?

Give us a call, or request for help here. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.

References:

Atlassian Article