26 Aug 2021

Security Update - Confluence Server and Data Center

by GLiNTECH

Atlassian has released a security vulnerability notice that affects Confluence Server & Confluence Data Center products. If you use these products, see below for steps to address this vulnerability.

Summary of Vulnerability

Atlassian disclosed a critical severity security vulnerability that affects the following products:

• Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

Atlassian recommends that you:

• upgrade to version 7.13.0 (LTS) or higher.

• If you are running 6.13.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 6.13.23.

• If you are running 7.4.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.4.11.

• If you are running 7.11.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.11.6.

• If you are running 7.12.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.12.5.

  
  

  Note that Confluence Cloud is not affected by the issue described in this announcement.

CVE-2021-26084 - Confluence Server Webwork OGNL injection

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in the Atlassian severity levels. The scale allows Atlassian to rank the severity as critical, high, moderate, or low.

This is Atlassian's own assessment and you should evaluate its applicability to your own IT environment.

Description

An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. 

The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if ‘Allow people to sign up to create their account’ is enabled.  To check whether this is enabled go to COG > User Management > User Signup Options.

All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability.

Fix

Atlassian has taken the following steps to address this issue:

• Released versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0 which contain a fix for this issue.

What You Need to Do

Atlassian recommends that you upgrade to the latest Long Term Support release. For a full description of the latest version, see the Confluence Server and Data Center Release Notes. You can download the latest version from the download center.

If you are running an affected version upgrade to version 7.13.0 (LTS) or higher.

If you are running 6.13.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 6.13.23.

If you are running 7.4.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.4.11.

If you are running 7.11.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.11.6.

If you are running 7.12.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.12.5.

Mitigation

If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the issue by running the script below for the Operating System that Confluence is hosted on.

Confluence Server or Data Center Node running on Linux based Operating System

1. Shut down Confluence.

2. Download the cve-2021-26084-update.sh to the Confluence Linux Server.

3. Edit the cve-2021-26084-update.sh file and set INSTALLATION_DIRECTORY to your Confluence installation directory, for example: 

   INSTALLATION_DIRECTORY=/opt/atlassian/confluence

4. Save the file.

5. Give the script execute permission. 
   
   

   chmod 700 cve-2021-26084-update.sh

6. Change to the Linux user that owns the files in the Confluence Installation directory, for example: 
   
   

   $ ls -l /opt/atlassian/confluence | grep bin
   drwxr-xr-x  3 root       root   4096 Aug 18 17:07 bin
    
   # In this first example, we change to the 'root' user to run the workaround script
   $ sudo su root
    
    
   $ ls -l /opt/atlassian/confluence | grep bin
   drwxr-xr-x  3 confluence    confluence   4096 Aug 18 17:07 bin
    
   # In this second example, we need to change to the 'confluence' user to run the workaround script
   $ sudo su confluence

7. Run the workaround script. 
   
   

   $ ./cve-2021-26084-update.sh

8. The expected output should confirm up to five files updated and end with: 

Update completed!

  The number of files updated will differ, depending on your Confluence version.

1. Restart Confluence.

If you run Confluence in a cluster, make sure you run this script on all of your nodes.

Confluence Server or Data Center Node running on Microsoft Windows

1. Shut down Confluence.

2. Download the cve-2021-26084-update.ps1 to the Confluence Windows Server.

3. Edit the cve-2021-26084-update.ps1 file and set the INSTALLATION_DIRECTORY. Replace Set_Your_Confluence_Install_Dir_Here with your Confluence installation directory, for example: 

   $INSTALLATION_DIRECTORY='C:\Program Files\Atlassian\Confluence'

4. Save the file.

5. Open up a Windows PowerShell (use Run As Administrator)

6. Due to PowerShell’s default restrictive execution policy, run the PowerShell using this exact command: 
   
   

   Get-Content .\cve-2021-26084-update.ps1 | powershell.exe -noprofile -

7. The expected output should show the status of up to five files updated, encounter no errors (errors will usually show in red), and end with:

   Update completed!

   
   The number of files updated will differ, depending on your Confluence version.

8. Start Confluence.

If you run Confluence in a cluster, make sure you run this script on all of your nodes.

Support

If you have questions or concerns regarding this advisory and assistance upgrading, contact the GLiNTECH team or your Account Manager. Alternatively, you can raise a support request through Atlassian.