CYBERCOM Warns that Critical Atlassian Vulnerability is Being Actively Exploited
On Friday, September 3, US CYBERCOM sent a tweet urging users to patch a critical vulnerability in Atlassian’s Confluence Server and Data Center. USCYBERCOM wrote, “Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already— this cannot wait until after the weekend.” Atlassian updated its August 25 advisory on September 3.
Some clients are still very hesitant to do internal or assumed breach penetration tests. With all the ways into an environment (exposed services like this, identity abuse, phishing, insiders...), it's hard to justify ignoring. See also: The Emperor's New Clothes.
By the time you are reading this, consider all vulnerable Atlassian instances compromised. Only on-premise installs are affected. Atlassian already patched cloud instances.
This applies only to your self-hosted Confluence servers. The notice has been changed to reflect that exploitation does _NOT_ require an account on the system. Apply the patch to your Confluence servers now, and make sure that only those that need to be are exposed to the Internet. Double check for additional services which may themselves be Internet accessible and provide unintended exploitation paths.
Read more in
Twitter: USCYBERCOM Cybersecurity Alert
ZDNet: US Cybercom says mass exploitation of Atlassian Confluence vulnerability 'ongoing and expected to accelerate'
Dark Reading: US Cyber Command Warns of Ongoing 'Mass Exploitation' of Critical Confluence Vuln
Cyberscoop: Cyber Command alerts US firms of 'ongoing' hacks targeting Atlassian enterprise software
Atlassian: Confluence Security Advisory - 2021-08-25