Share this article on:
The Australian government’s leading cyber agency has sounded an alarm over exploitable loopholes in several self-hosted versions of Atlassian Confluence, with some sources suggesting that a widespread breach is currently underway.
According to the Australian Cyber Security Centre, Atlassian has discovered an exploitable loophole in several self-hosted types of Atlassian Confluence, which allow potential threat actors to gain remote control of a server by deploying an arbitrary code. Atlassian has further confirmed that this can be accomplished by unauthenticated users.
Numerous sources have confirmed that threat actors are exploiting the remote code execution bug, with evidence emerging that some actors have used penetrated systems to upload cryptomining software.
According to Troy Mursch, chief research officer at Bad Packets, the loophole is currently being exploited the world over.
"I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania," he said.
"Multiple proof-of-concepts have been published publicly demonstrating how to exploit this vulnerability."
On Friday, the US Cyber National Mission Force tweeted, “Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already — this cannot wait until after the weekend.”
According to the ACSC, Atlassian has confirmed that the loophole does not impact Confluence Cloud customers.
To rectify any potential vulnerabilities, the ACSC urges organisations that use the platform to identify any internet facing occurrences of Confluence as priority, followed by any internal facing uses of Confluence.
Atlassian has released an interim mitigation script and patch via the Atlassian security advisory.
According to Atlassian, “The vulnerability is being actively exploited in the wild. Affected servers should be patched immediately.
“The vulnerability is exploitable by unauthenticated users regardless of configuration.”
[Related: Russians hacked US federal prosecutors, government confirms]