Confluence Critical Severity Security Vulnerability

Confluence Critical Severity Security Vulnerability

This post discloses a critical severity security vulnerability affecting Confluence Server and Data Center customers with these versions.

Confluence security

Atlassian has released a critical security vulnerability, as per its severity levels scale. This impacts the following Confluence Server and Data Center versions: Before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and version 7.12.0 before 7.12.5.

Summary of vulnerability

Affected products: Confluence Server and Confluence Data Center.

Please note, Atlassian Cloud customers are not affected by the contents of this blog post.

Customers who have upgraded to versions 6.13.23, 7.11.6, 7.12.5, 7.13.0, or 7.4.11 are also unaffected by this vulnerability.

Confluence Server and Data Center – CVE-2021-26084 – Confluence Server Webwork OGNL injection

An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code in a Confluence Server or Data Center instance.

Fixed versions:

  • 6.13.23
  • 7.4.11
  • 7.11.6
  • 7.12.5
  • 7.13.0

Affected versions:

  • All 4.x.x versions
  • All 5.x.x versions
  • All 6.0.x versions
  • All 6.1.x versions
  • All 6.2.x versions
  • All 6.3.x versions
  • All 6.4.x versions
  • All 6.5.x versions
  • All 6.6.x versions 
  • All 6.7.x versions
  • All 6.8.x versions
  • All 6.9.x versions
  • All 6.10.x versions
  • All 6.11.x versions
  • All 6.12.x versions 
  • All 6.13.x versions before 6.13.23
  • All 6.14.x versions 
  • All 6.15.x versions 
  • All 7.0.x versions
  • All 7.1.x versions
  • All 7.2.x versions
  • All 7.3.x versions
  • All 7.4.x versions before 7.4.11
  • All 7.5.x versions
  • All 7.6.x versions 
  • All 7.7.x versions
  • All 7.8.x versions
  • All 7.9.x versions
  • All 7.10.x versions
  • All 7.11.x versions before 7.11.6
  • All 7.12.x versions before 7.12.5

What to do?

lewis-clearvision

Atlassian is advising customers who have downloaded and installed the versions listed to upgrade their installations immediately. As an Atlassian Platinum Solution Partner, Clearvision can help by advising on a suitable mitigation strategy. Please note, ClearHost customers needn’t worry, as we have already mitigated the threat of this vulnerability on your behalf.

Workarounds:

If you are running an affected version upgrade to version 7.13.0 (LTS) or higher.

If you are running 6.13.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 6.13.23.

If you are running 7.4.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.4.11.

If you are running 7.11.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.11.6.

If you are running 7.12.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.12.5.

If you are unable to upgrade Confluence immediately, you can mitigate the issue by running the script below for the Operating System that Confluence is hosted on. Please note, doing so is a temporary fix.

Confluence Server or Data Center Node running on Linux based Operating System…

Confluence Server or Data Center Node running on Microsoft Windows…

Useful links:

Don’t trouble yourself with upgrading your instances, let the experts handle it. Click here to contact us or use the ‘get in touch’ button below.

FOR FURTHER INFORMATION GET IN TOUCH

Share on facebook
Share
Share on twitter
Share
Share on linkedin
Share