Description and Immediate Mitigation Steps

Vulnerability Information:

• • Severity: The critical vulnerability in Atlassian Confluence is classified as “Critical.”
  • Versions Impacted: 7.19, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7.1
  • Vulnerability Type: It is a Remote Code Execution (RCE) vulnerability, which means that attackers can execute malicious code on vulnerable systems.
  • CVE Identifier: The specific vulnerability is tracked as CVE-2024-21674.
  • CVSS Score: Atlassian assigned a maximum CVSS score of 10 to this vulnerability, highlighting its severity. This score is due to the ease with which attackers can achieve RCE in a low-complexity attack without requiring authentication.
  • Atlassian has not found any evidence of active exploitation of CVE-2024-21674 in the wild. This suggests that, at the time of the advisory, the vulnerability had not been used by malicious actors.
  • The vulnerability was initially discovered and reported by security researcher Petrus Viet on December 13 as part of Atlassian’s bug bounty program.
  • Despite the bug having been fixed by the time of the report (due to the implementation of OGNL Guard), Atlassian still acknowledged the researcher’s efforts
  • Confluence customers who run instances not connected to the internet and do not allow anonymous access may still be vulnerable to this particular vulnerability. The advisory underscores that the existence of multiple potential entry points and the potential for chained attacks make it challenging to list all possible indicators of compromise.

Affected Versions:

• • The vulnerability impacts Atlassian Confluence Data Center and Server versions, particularly version 8.
  • Users of these versions are at risk if they have not updated to at least version 8.5.4, which was released on December 5th.

Recommended Actions:

• • To mitigate the risk associated with this critical vulnerability, Atlassian strongly recommends that all Confluence Data Center customers update to one of the hotfix versions below:
  • Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release
  • Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release
  • Confluence Data Center 8.7: Upgrade to a release 8.7.2 or any higher release
  • Secondary mitigation is to move services behind the firewall to limit exposure while awaiting hotfix deployment

Standard Manual Upgrade Steps:

• • Notify users of outage for critical hotfixing
  • Stop services across all nodes
  • Backup existing database and shared home prior to upgrade
  • Make copies of the setenv.sh and server.xml found in the application install directories bin & conf (these hold critical settings we want to propogate again post upgrade
  • Download the hotfix from the Atlassian archives
  • Apply the upgrade, do not auto-start services
  • Copy back the setenv.sh, server.xml, and any other customized files you had to copy during the upgrade process
  • Restart services and perform smoke testing once Confluence is available 

Conclusion:

The advisory regarding the critical Remote Code Execution (RCE) vulnerability, CVE-2024-21674, in Atlassian Confluence is of utmost importance. With a maximum CVSS score of 10, this vulnerability poses a significant threat, allowing unauthenticated attackers to potentially compromise Confluence instances.

To safeguard their systems and prevent the potential leakage of sensitive information and malicious attacks, all Confluence Data Center and Server users are strongly urged to take immediate action by updating their installations to the latest version, 8.5.5. Timely updates are essential to mitigate the risk and ensure the security of their Confluence environments.

Here is the notice from the National Vulnerability Database

Link to Atlassian ticket can be found here. 

Thanks for visiting, click here to learn more about out our Atlassian Cloud Services!