Hitting the news recently was a warning from Atlassian of a critical-rated flaw with its Confluence Server, urging users to patch immediately.
Alert Logic has been actively investigating this new OGNL injection vulnerability – CVE-2021-26084 – in the Confluence Server and Data Center. This is not the first time our threat intelligence team has seen an issue with Confluence, so we are seasoned with such a threat.
In this blog, we’ll take a closer look into:
- The Atlassian Confluence Flaw and Alert Logic’s detection and response
- How that story translates into a deeper analysis of these known vulnerable software
- Our approach to tracking the same bad actors across breaches
- Recommendations to users and our customers on mitigating the bug
Examining the Atlassian Confluence Flaw
CVE-2021-26084 is a critical-rated vulnerability impacting users of the on-prem version of Confluence Server (Confluence Cloud customers are not affected), allowing both authenticated and unauthenticated users to gain full remote code execution on a Confluence Server or Data Center instance. For greater detail on the vulnerability, read the security advisory from Atlassian.
The Alert Logic timeline
Our security experts in both our Security Operations Center (SOC) and Threat Intelligence teams, having previously dealt with Confluence vulnerability CVE-2019-3396 in 2019, had developed and deployed many general-purpose signatures designed to detect OGNL attacks. These signatures were the ones used to detect these novel exploits targeting our customers. SOC analysts noted the data triggering these signatures now looked different, and they brought in Threat Intelligence to dig deeper.
Within minutes, our security experts were actively hunting, leveraging these general-purpose signatures as trail heads. This work ensured rapid detection as a better understanding of the exploit. Leveraging this in-depth analysis, we are now able to identify active attacks more quickly and precisely, giving our customers a leg up.
- Our threat experts noticed exploit attempts that were much different than what we typically see, and they also resembled a newly announced vulnerability in Confluence (CVE-2021-26084) which piqued interest.
- Having experienced a previous Confluence vulnerability that put many customers at risk back in March 2019 (CVE-2019-3396), the team was well versed and knew the appropriate actions to take. As a result, the team immediately began their hunts.
Response: immediately after detection
- Initial signatures for post-compromise were collected from attempts observed (such as the output of the ID, ifconfig and ipconfig commands) and were added along with a signature for outbound Burp usage to our hunting dashboards.
- Initial firings fed our tooling leading to fast recognition, deep analysis, and focused hunts.
- Additional IoCs were added to our analyst’s hunting dashboards focusing on outbound activity. This was the first concrete piece of evidence attributed directly to an active incident.
Response: after first sign of compromise
- Threat Intelligence continuously looks for new vulnerabilities as they happen and creates detections for those. As SOC examines data from these detections, they engage the Threat Intel team if they find anything novel.
- Additional detections are created to cover our customers’ attack surface, and there is a model of constant engagement between both teams.
- The SOC notices the successful exploitation with the associated hunting dashboard, informs Threat Intel who then prioritized the process of getting a Confluence server in house for exploitation testing, allowing us to verify all possible evasion techniques and provide more detailed detection analysis.
Actionable insights and continued analysis
With this and any emerging threat, it does not live and die in a silo. The actions taken and insights gathered to ensure our customers remain secure are carried forward into everything we do.
For instance, our Threat Intel team continues to look deeper into popular software, discovering any potential vulnerabilities before they are exploited. They take the case of the Confluence vulnerability and apply it to their research across the board, adding any new behavior from bad actors to their repertoire.
It’s this expert knowledge that best supports immediate response efforts — bad actors tend to carry out attacks in similar ways, and our teams are well versed in the how of these scenarios, as well as possible impacts. So, upon detection, we are able to know quickly when something new is underway and respond appropriately.
Recommendations for Mitigation
Atlassian has released updates to remediate this vulnerability, and it’s recommended to apply them to affected versions as soon as possible.
The updates are available in the Confluence Server and Data Center Download Archives. Find details on the updates for each version in this Alert Logic Support Center article. If you are unable to apply the updates immediately, a workaround is available in Atlassian’s security advisory under Mitigation.
For future (and inevitable) vulnerabilities
One key takeaway, for this and any similar vulnerabilities to come, is to ensure that your organization has a properly configured Web Application Firewall (WAF). At Alert Logic, we offer a managed WAF, and our experts ensure it is ready to block threats against your critical web applications, from installation through deployment, configuration, and ongoing tuning.
Why does this matter? Well, taking the Confluence vulnerability as an example, we were able to update our WAF and get signatures out within 24 hours, giving our customers breathing room in patching.
This eliminates the need on the part of customers to patch their systems immediately, a situation that often results in less than desired outcomes, as that immediate timeline is often missed. Instead of creating a pressurized situation, our WAF customers were able to run through their proper patch management process in due time, allowing them to maximize availability while maintaining the confidentiality and integrity of their systems and data.