US officials warn of “mass exploitation” of Atlassian Confluence flaw

Hackers are exploiting a vulnerability in the on-premise Atlassian Confluence workplace collaboration platform on a massive scale, with businesses urged to patch their systems without delay.

US Cyber Command issued a public notice just before the weekend warning that mass exploitation of the remote code execution flaw tracked as CVE-2021-26084 is “ongoing and expected to accelerate”.

“Please patch immediately if you haven’t already,” the notice added. “This cannot wait until after the weekend.”

Confluence is a workplace collaboration platform that allows teams to work together remotely on projects or ideas.

The vulnerability, which is embedded in the Atlassian Confluence Server and Confluence Data Center products, can allow an unauthorised attacker to execute arbitrary code on either of the affected platforms.

Confluence Cloud, which is hosted on public cloud environments, isn’t affected by the flaw. Rather, the on-premises versions of the product are those susceptible to exploitation.

It’s rated 9.8 on the CVSS threat severity scale out of ten, suggesting it’s highly exploitable. The firm had never publicly revealed the precise exploit mechanisms, though, beyond describing the flaw as a Confluence Server Webwork OGNL injection. This was presumably to avoid fuelling any future attacks before businesses had a chance to apply the fix.

Atlassian disclosed this vulnerability a couple of weeks ago and urged businesses to patch their systems at the time. However, cyber criminals from around the world have since been detected as scanning for vulnerable systems and launching attacks.

The threat intelligence firm Bad Packets, for example, detected mass scanning and exploit activity from hosts in a number of regions including China and Brazil earlier last week.

Atlassian previously addressed a serious vulnerability in its system that could allow hackers to compromise user accounts, and control several apps that users can access seamlessly through a single sign-on (SSO) feature.

This latest vulnerability in Confluence is just one of many serious vulnerabilities that have been exploited during 2021, with the rate of successfully abused zero-days surging over the last few months.