CVE-2021-26084 is being actively exploited in the wild, patch immediately.
On August 25, 2021, Atlassian released security updates to address a remote code execution vulnerability affecting Confluence Server and Data Center. Recently, exploitation attempts for CVE-2021-26084 have been seen in the wild.
The flaw is an OGNL injection issue that can be exploited by an authenticated attacker, and in some instances an unauthenticated user if “Allow people to sign up to create their account” is enabled, to execute arbitrary code on affected Confluence Server and Data Center instances. Threat actors actively exploit this vulnerability to take control of affected systems.
The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
CISA also published a security advisory to urge admins to apply the necessary updates.
Mitigation
If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the issue by running the scripts provided by Atlassian for the Operating System that Confluence is hosted on.
Remediation
Atlassian recommends that you upgrade to the latest Long Term Support release. You can download the latest version from Atlassian’s download center.
