Last week, Atlassian released details about a critical vulnerability in its popular Confluence enterprise wiki service, urging customers to upgrade as soon as possible because the bug could be used for arbitrary code execution. However, it doesn’t appear that many organizations have taken the warning seriously.
The vulnerability (CVE-2021-26084) affects all versions of Confluence Server and Data Center prior to 6.13.23, 7.11.6, 7.12.5, 7.13.0, or 7.4.11, and it’s an issue in the way the Object-Graph Navigation Language interprets some HTML fields. A security researcher named Jacob Benny discovered and disclosed the flaw to Atlassian, which has released updated versions for all of the affected products.
But new data collected by Censys shows tha only a small fraction of the vulnerable instances have been updated since Atlassian published its advisory on Aug. 25. A few days before the advisory came out, Censys 14,637 vulnerable instances online, and on Wednesday that number had only dropped to 12,876. That’s not much of a change in a week, particularly given the critical nature of the flaw.
“There is no way to put this lightly: this is bad."
“An attacker can leverage this vulnerability to execute any command with the same permissions as the user-id running the service. An attacker can then use this access to gain elevated administrative permissions if the host has unpatched local vulnerabilities,” Mark Ellzey, a secior security researcher at Censys, wrote in an analysis of the data the company collected on the bug.
“There is no way to put this lightly: this is bad. Initially, Atlassian stated this was only exploitable if a user had a valid account on the system; this was found to be incorrect and the advisory was updated today to reflect the new information. It’s only a matter of time before we start seeing active exploitation in the wild as there have already been working exploits found scattered about.”
Not only have the details in the Atlassian advisory been public for more than a week, but so have the details from the researcher himself, who has published walkthroughs of the bug online. Enterprises running on-premises Confluence instances should move to the most recent release as soon as is practical.