Vulnerabilities and Threats (Corvus Alerts)
      Back to home
      1. Knowledge Nest
      2. Cybersecurity Tips + Vulnerability Alerts
      3. Vulnerabilities and Threats (Corvus Alerts)

      Confluence Vulnerability Advisory | December 2021

      Threat actors are actively exploiting vulnerabilities in Confluence Servers. Here's what you need to know.

      Background

      In September, Atlassian issued a security advisory for a vulnerability (CVE-2021-26084) affecting on-premise Confluence servers. The vulnerability allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. Although this vulnerability was disclosed in September, we are now hearing from threat intelligence sources that ransomware groups are actively exploiting the vulnerability to encrypt Confluence servers. Attacks have been observed impacting both Windows and Linux systems.


      Quick facts: what you need to know now

      • The affected servers are:
          • Versions before 6.13.23
          • Versions 6.14.0 through 7.4.11
          • Versions 7.5.0 through 7.11.6
          • Versions 7.12.0 through 7.12.5
      • Attacks have been observed impacting both Windows and Linux systems.
      • An unauthenticated user can execute arbitrary commands on vulnerable servers which grants them full control over the unpatched system. This provides threat actors the ability to compromise the system and execute malicious files like ransomware.

      Next Steps for All Confluence Server and Data Center Customers:

      1. Update to one of the released versions which contains the fix for the issue, 
          1. Fixed versions: 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0
          2. If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the issue by running the script for the Windows or Linux based Operating System that Confluence is hosted on.
      2. Review web server and system logs for suspicious login activity. If suspicious activity is identified during review:
          1. Reset all user admin credentials and ensure MFA is enabled.
          2. Immediately notify Corvus of a potential claim via the email or hotline listed on your policy.  We will then connect you to counsel and a forensics firm to ensure your organization properly investigates, mitigates, and responds to the threat.

      Additional Resources

      Confluence security advisory: ​​https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html


      If you have any questions, please reach out to the Risk + Response Team at services@corvusinsurance.com!