Learn About the CVE-2021-26084 Vulnerability
Share with Your Network
At a time when everyone (even the FTC) is likely obsessed with closing the latest Log4j vuln, we want to make sure you don’t forget about other vulnerabilities that deserve your attention. So, we’re opening our 2022 Vuln of the Month series by revisiting an extremely high-risk Atlassian Confluence vulnerability from August still being actively exploited to mine cryptocurrency.
Left unaddressed, CVE-2021-26084 poses a serious risk for organizations running affected versions of Atlassian Confluence Server and Data Center. If exploited, this OGNL (Object-Graph Navigation Language) injection vulnerability can open an organization to remote code execution (RCE) of malicious code. Our research shows that CVE-2021-26084 meets many of the criteria we look for to be exploited, including:
- Access complexity: Low
- Potential attack surface: Global
- Exploitable remotely: Yes
- Authentication/privilege requirements: None
- Potential impact on availability: Partial
- Exploit code published: Yes
- Active exploits observed: Yes
The Kenna Risk Score for CVE-2021-26084 is 100, the highest possible score Kenna assigns to any vulnerability. Just 0.21% of CVEs earn a score this high. A Kenna Risk Score of 100 should qualify as “Critical” on anyone’s fix list, and in this case, even CVSS 3.1 (with a “Critical” score of 9.8) acknowledges the seriousness of this vuln. CVSS 2.0 is a different story, assigning just 7.5 or a “High” rating to this clearly high-risk CVE. This difference highlights an important distinction between scoring systems: In many cases, CVSS scores, whose methodology ignores useful context, can mislead security teams into thinking those vulns are not as serious as they are. (Sill using CVSS? We recommend immediately looking into switching out simple vulnerability scores for true risk scores.)
Why CVE-2021-26084 matters
Since this CVE was first published, we’ve tracked more than 425 successful exploitations worldwide, and its Kenna Risk Score rose progressively throughout August and into September as exploits piled up and more was learned about how attackers were making life difficult for Confluence customers. Ahead of the Labor Day weekend, US Cybercom tweeted a grim warning alerting Security teams to the criticality of this CVE: “Patch immediately if you haven’t already,” the alert read. “This cannot wait until after the weekend.”
CVE-2021-26084 could allow an authenticated (and in some cases an unauthenticated user) to execute arbitrary code on a Confluence Server or Data Center instance. Any RCE vulnerability is worth addressing, but this one has had such active exploit activity that its risk levels are higher than 99.98% of all CVEs scored by Kenna.
By now, most enterprises with Confluence Server and Data Center instances are likely to have remediated this vulnerability, but anyone who hasn’t is leaving their organization open to massive headaches. Attackers were observed installing and running the XMRig cryptocurrency miner on affected systems—just one of many vectors observed. Affected are Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
Ease of exploitation, low to no authentication requirements, and numerous successful remote exploitations make CVE-2021-26084 a priority for affected customers.
On Aug. 25, Atlassian issued an advisory directing administrators to upgrades that will eliminate the vulnerability. For those unable to upgrade their instances immediately, the advisory also details workarounds.
Watch this space for regular Vuln of the Month spotlights, which appear on Exploit Wednesday, the day following Microsoft’s monthly Patch Tuesday patch release. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.