Opportunistic threat actors have been found actively exploiting a recently disclosed critical security flaw in Atlassian Confluence deployments across Windows and Linux to deploy web shells that result in the execution of crypto miners on compromised systems.
Tracked as CVE-2021-26084 (CVSS score: 9.8), the vulnerability concerns an OGNL (Object-Graph Navigation Language) injection flaw that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance.
“A remote attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious parameter to a vulnerable server,” researchers from Trend Micro noted in a technical write-up detailing the weakness. “Successful exploitation can result in arbitrary code execution in the security context of the affected server.”
The vulnerability, which resides in the Webwork module of Atlassian Confluence Server and Data Center, stems from an insufficient validation of user-supplied input, causing the parser to evaluate rogue commands injected within the OGNL expressions.
The in-the-wild attacks come after the U.S. Cyber Command warned of mass exploitation attempts following the vulnerability’s public disclosure in late August this year.
images from Hacker News