Atlassian has raised a storm with CyberCom (US Cyber Command) due to a critical flaw discovered in Confluence Server and Confluence Data Center. “Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already—this cannot wait until after the weekend,” said the official CyberCom Twitter account.
On August 25, 2021, Atlassian did issue a patch for this vulnerability, in which the developer stated arbitrary code execution could be reached by an unauthenticated user on a Confluence server or datacenter instance.
Jenkins, the popular CI/CD platform, was hit by attackers exploiting this new flaw. Attackers decided to deploy a Monero cryptominer on the company’s Confluence server. The service immediately took the server offline and rotated all passwords.
Researchers at Kaspersky stated the flaw is only possible to leverage from unauthenticated users if the “Allow people to sign up to create their account” option is enabled by administrators.
Please note Confluence Cloud is not affected.