This post discloses a critical severity security vulnerability affecting Confluence Server and Data Center customers with these versions.
Atlassian has released a critical security vulnerability, as per its severity levels scale. This impacts the following Confluence Server and Data Center versions: Before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and version 7.12.0 before 7.12.5.
Summary of vulnerability
Affected products: Confluence Server and Confluence Data Center.
Please note, Atlassian Cloud customers are not affected by the contents of this blog post.
Customers who have upgraded to versions 6.13.23, 7.11.6, 7.12.5, 7.13.0, or 7.4.11 are also unaffected by this vulnerability.
Confluence Server and Data Center – CVE-2021-26084 – Confluence Server Webwork OGNL injection
An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code in a Confluence Server or Data Center instance.
- All 4.x.x versions
- All 5.x.x versions
- All 6.0.x versions
- All 6.1.x versions
- All 6.2.x versions
- All 6.3.x versions
- All 6.4.x versions
- All 6.5.x versions
- All 6.6.x versions
- All 6.7.x versions
- All 6.8.x versions
- All 6.9.x versions
- All 6.10.x versions
- All 6.11.x versions
- All 6.12.x versions
- All 6.13.x versions before 6.13.23
- All 6.14.x versions
- All 6.15.x versions
- All 7.0.x versions
- All 7.1.x versions
- All 7.2.x versions
- All 7.3.x versions
- All 7.4.x versions before 7.4.11
- All 7.5.x versions
- All 7.6.x versions
- All 7.7.x versions
- All 7.8.x versions
- All 7.9.x versions
- All 7.10.x versions
- All 7.11.x versions before 7.11.6
- All 7.12.x versions before 7.12.5
What to do?
Atlassian is advising customers who have downloaded and installed the versions listed to upgrade their installations immediately. As an Atlassian Platinum Solution Partner, Clearvision can help by advising on a suitable mitigation strategy. Please note, ClearHost customers needn’t worry, as we have already mitigated the threat of this vulnerability on your behalf.
If you are running an affected version upgrade to version 7.13.0 (LTS) or higher.
If you are running 6.13.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 6.13.23.
If you are running 7.4.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.4.11.
If you are running 7.11.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.11.6.
If you are running 7.12.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.12.5.
If you are unable to upgrade Confluence immediately, you can mitigate the issue by running the script below for the Operating System that Confluence is hosted on. Please note, doing so is a temporary fix.
- Upgrade to the latest Long Term Support release — download the latest version.
- If you did not receive an email for this advisory, go to https://my.atlassian.com/email and subscribe to be notified of any future incidents.
Don’t trouble yourself with upgrading your instances, let the experts handle it. Click here to contact us or use the ‘get in touch’ button below.