Confluence Critical Severity Security Vulnerability
This post discloses a critical severity security vulnerability affecting Confluence Server and Data Center customers with these versions.
- September 3, 2021
Atlassian has released a critical security vulnerability, as per its severity levels scale. This impacts the following Confluence Server and Data Center versions: Before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and version 7.12.0 before 7.12.5.
Summary of vulnerability
Affected products: Confluence Server and Confluence Data Center.
Please note, Atlassian Cloud customers are not affected by the contents of this blog post.
Customers who have upgraded to versions 6.13.23, 7.11.6, 7.12.5, 7.13.0, or 7.4.11 are also unaffected by this vulnerability.
Confluence Server and Data Center – CVE-2021-26084 – Confluence Server Webwork OGNL injection
An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code in a Confluence Server or Data Center instance.
Fixed versions:
- 6.13.23
- 7.4.11
- 7.11.6
- 7.12.5
- 7.13.0
Affected versions:
- All 4.x.x versions
- All 5.x.x versions
- All 6.0.x versions
- All 6.1.x versions
- All 6.2.x versions
- All 6.3.x versions
- All 6.4.x versions
- All 6.5.x versions
- All 6.6.x versions
- All 6.7.x versions
- All 6.8.x versions
- All 6.9.x versions
- All 6.10.x versions
- All 6.11.x versions
- All 6.12.x versions
- All 6.13.x versions before 6.13.23
- All 6.14.x versions
- All 6.15.x versions
- All 7.0.x versions
- All 7.1.x versions
- All 7.2.x versions
- All 7.3.x versions
- All 7.4.x versions before 7.4.11
- All 7.5.x versions
- All 7.6.x versions
- All 7.7.x versions
- All 7.8.x versions
- All 7.9.x versions
- All 7.10.x versions
- All 7.11.x versions before 7.11.6
- All 7.12.x versions before 7.12.5
What to do?
Atlassian is advising customers who have downloaded and installed the versions listed to upgrade their installations immediately. As an Atlassian Platinum Solution Partner, Clearvision can help by advising on a suitable mitigation strategy. Please note, ClearHost customers needn’t worry, as we have already mitigated the threat of this vulnerability on your behalf.
Workarounds:
If you are running an affected version upgrade to version 7.13.0 (LTS) or higher.
If you are running 6.13.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 6.13.23.
If you are running 7.4.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.4.11.
If you are running 7.11.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.11.6.
If you are running 7.12.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.12.5.
If you are unable to upgrade Confluence immediately, you can mitigate the issue by running the script below for the Operating System that Confluence is hosted on. Please note, doing so is a temporary fix.
Confluence Server or Data Center Node running on Linux based Operating System…
Confluence Server or Data Center Node running on Microsoft Windows…
Useful links:
- Upgrade to the latest Long Term Support release — download the latest version.
- If you did not receive an email for this advisory, go to https://my.atlassian.com/email and subscribe to be notified of any future incidents.
Don’t trouble yourself with upgrading your instances, let the experts handle it. Click here to contact us or use the ‘get in touch’ button below.
Mehrnaz Karimi
Related Articles
Keep up to date with the latest Clearvision blog.
Our blog posts cover a wide range of topics from the latest software news to the latest in the Atlassian world.
Search through our white papers and guides.
We have a wealth of expertise to share with you in our white papers and guides.
Watch our webinars.
Watch our webinars on everything from JSM, JWM, Atlassian tools and more.
