The US Cyber Command warned on Friday that mass exploitation of Atlassian’s Confluence software is happening and that users need to patch their installations promptly. The vulnerability has formally been named CVE-2021-26084 and was revealed by Atlassian towards the end of August.

It was described as allowing an authenticated user to execute arbitrary code on a Confluence Server or data center instance. Customers on Confluence Cloud aren’t affected by this.

The issue affects all versions of Confluence, starting with 4.x.x through most versions of 6.x.x and 7.x.x. Customers who have upgraded to versions 6.13.23, 7.11.6, 7.13.0, or 7.4.11 are unaffected.

Unclear origins

The injection vulnerability pertains to the Object-Graph Navigation Language and was discovered by a security researcher named Benny Jacob (SnowyOwn), a participant of the Atlassian bug bounty program.

OGNL is an open-source Expression Language for Java that allows users to employ simpler expressions than those supported natively by Java.

It is unclear whether the issue is related to an OGNL problem or something in Atlassian’s software. The vulnerability has a Common Vulnerability Scoring System score of 9.8, making it a critical flaw. The National Vulnerability Database says that if exploited, the vulnerability could allow a non-admin or unauthenticated user could access the vulnerable endpoints.

Widespread or not?

It is unclear how widespread the attacks may be, a topic that is still up for speculation. However, Bad Packets posted on September 2nd that it detected mass scanning and exploiting activity. The exploit activity traced to hosts in the US, Russia, Romania, Nepal, Hong Kong, China, and Brazil.

Confluence was launched in 2004 by Atlassian, to offer a web-based corporate wiki and collaboration tools for organizations.

The company now claims it has more than 60,000 customers, most notably NASA, The New York Times, GoPro, Audi AG, Twilio, HubSpot, Docker, Linked In, and more.