Atlassian warns of critical Confluence flaw
9.8-rated bug allows arbitrary code execution – possibly without authentication
Atlassian has warned users of its Confluence Server that they need to patch the product to remedy a Critical-rated flaw.
The company's not saying a lot about CVE-2021-26084, besides describing it as a "Confluence Server Webwork OGNL injection vulnerability … that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance."
The bug scores 9.8 on the ten-point Common Vulnerability Scoring System.
Atlassian has released fixed versions of the product – namely versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0 – but the company's advisory suggests upgrading to the latest long-term service release.
That means version 7.13, which was released last week – nine days before disclosure of this flaw.
- Looks like people now pay for Trello, meaning 'ripper' fourth quarter at Atlassian
- There is no escape: Atlassian to send Jira into places only Excel dares to tread
- Trello moved 'Facelift' card to Completed on Go Live board
Atlassian's advisory notes that a full upgrade is not possible for all users, so they need to step up to the clean double-point versions mentioned above before contemplating the step to version 7.13.
Atlassian's own Confluence Cloud has been patched. Other hosted Confluence offerings may be vulnerable - check with your service provider.
Atlassian's documentation for the bug is not very detailed. It almost certainly refers to the Object-Graph Navigation Language (OGNL), a project that offers an expression language for getting and setting properties of Java objects. Atlassian hasn't mentioned whether the flaw has its roots in open-source code, or its own efforts. The Register cannot find a reference to the flaw beyond the Australian company's advisory and documents.
The flaw was discovered by Benny Jacob (SnowyOwl) through the Atlassian public bug bounty program. ®