A critical Atlassian Confluence vulnerability (CVE-2021-26084) is being heavily exploited in the wild. Attacks are "expected to accelerate", US Cyber Command warned on Friday -- urging immediate patching and noting that this "cannot wait until after the weekend". Yet as Sunday dawned there were still over 8,597 vulnerable Confluence instances exposed, according to analysis by attack surface management specialist Censys.
A growing number of victims were admitting exploitation of exposed Confluence servers had seen them breached, meanwhile. Jenkins -- the open source CI/CD automation server -- was among those admitting it had been hit (albeit a deprecated server with limited data on it and no scope to pivot elsewhere), with the team behind the MidnightBSD Operating System was also among those acknowledging they had been hit.
Critical Confluence vulnerability: 8,500+ exposed
Over 13,500 servers were initially exposed, Censys said; the number falling over several days to ~8,597 as of Sunday September 5, 2021. The vulnerability itself can be traced back to an OGNL injection vulnerability (as seen in the devastating 2017 Equifax hack...) It lets unauthenticated, remote attackers execute arbitrary code on a Confluence server or data centre instance if "allow people to sign up to create their account" is enabled.
The affected software is:
- Atlassian Confluence Server and Data Center up to 6.13.23
- Atlassian Confluence Server and Data Center 6.14.0 - 7.4.11
- Atlassian Confluence Server and Data Center 7.5.0 before 7.11.6
- Atlassian Confluence Server and Data Center 7.12.0 before 7.12.5
Atlassian guidance is here.
Jenkins breached amid mass exploitation of CVE-2021-26084
By Sunday, September 5 there were still 8,597 vulnerable Confluence instances out there for the taking, according to excellent analysis by Censys (which clearly tracks the less-than-blistering pace of patching...)
Mercifully for Jenkins' maintainers, their Confluence server had been made read-only and effectively deprecated for day-to-day use in October 2019: "We have no reason to believe that any Jenkins releases, plugins, or source code have been affected", Mark Waite and R. Tylor Croy wrote on September 4, although various documents appear to have remained on the server. (The attackers installed a Monero miner... quelle surprise)
MidnightBSD meanwhile noted on September 5: "One of our servers had a security breach. We're not sure the extend of damage yet. At this time, we don't believe there is any concern about packages, isos, etc."
They added in a Twitter thread: "The server in question had multiple responsibilities including databases and file storage. It was our staging area for packages before they were copied to our primary FTP. We believe the breach occurred on Thursday. 2 processes were running on the host system (not jails). They got in through the recent confluence exploit. Patch your servers now."