Atlassian warns of critical Confluence flaw

9.8-rated bug allows arbitrary code execution – possibly without authentication


Atlassian has warned users of its Confluence Server that they need to patch the product to remedy a Critical-rated flaw.

The company's not saying a lot about CVE-2021-26084, besides describing it as a "Confluence Server Webwork OGNL injection vulnerability … that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance."

The bug scores 9.8 on the ten-point Common Vulnerability Scoring System.

Atlassian has released fixed versions of the product – namely versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0 – but the company's advisory suggests upgrading to the latest long-term service release.

That means version 7.13, which was released last week – nine days before disclosure of this flaw.

Atlassian's advisory notes that a full upgrade is not possible for all users, so they need to step up to the clean double-point versions mentioned above before contemplating the step to version 7.13.

Atlassian's own Confluence Cloud has been patched. Other hosted Confluence offerings may be vulnerable - check with your service provider.

Atlassian's documentation for the bug is not very detailed. It almost certainly refers to the Object-Graph Navigation Language (OGNL), a project that offers an expression language for getting and setting properties of Java objects. Atlassian hasn't mentioned whether the flaw has its roots in open-source code, or its own efforts. The Register cannot find a reference to the flaw beyond the Australian company's advisory and documents.

The flaw was discovered by Benny Jacob (SnowyOwl) through the Atlassian public bug bounty program. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021