On August 25, 2021, Atlassian released a security advisory and associated patches for several on-premise versions of its popular Confluence Server and Data Center products to address a Remote Code Execution (RCE) vulnerability (CVE-2021-26084). This vulnerability is said to potentially allow unauthenticated attackers to remotely execute command on affected servers and is rated as CRITICAL (CVSSv3 9.8).
On September 3, 2021, the United States Cyber Command (USCYBERCOMM) issued a public alert recommending that administrators prioritize their efforts to patch their servers as soon as possible due to the increased exploitation in-the-wild (ITW) being observed.
Protection Against ExploitationFirst and foremost, it is highly recommended that administrators follow all guidance from the vendor (Atlassian) and apply any and all patches as soon as possible if their deployed servers match the known affected versions. Please note that Confluence Cloud customers are not affected.
In addition to the vendor patch(s) that should be applied, Trend Micro has released some supplementary rules, filters and detection protection that may help provide additional protection and detection of malicious components associated with this attack servers that have not already been compromised or against further attempted attacks.
Preventative Rules, Filters & DetectionTrend Micro Cloud One - Workload Security and Deep Security IPS Rules
- Rule 1005934 - Identified Suspicious Command Injection Attack
- Rule 1011117 - Atlassian Confluence Server Remote Code Execution Vulnerability (CVE-2021-26084)
Trend Micro Cloud One - Network Security and TippingPoint Digital Vaccine
- Filter 40260 - HTTP: Atlassian Confluence Server and Data Center OGNL Injection Vulnerability
Trend Micro Deep Discovery Inspector
- Rule 4623 - CVE-2021-26084_HTTP_CONFLUENCE_OGNL_RCE_EXPLOIT_REQUEST_SB
Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Deep Security w/Anti-malware, etc.)
Malicious file samples associated with known exploits of this vulnerability are detected as:
|Filename||SHA1||VSAPI Detection||Predictive Learning||Pattern Number (VSAPI)|
In addition, the following associated URLs being being blocked via Web Reputation Services (WRS):
Trend Micro is closely monitoring and conducting additional research on these attacks and will update this article with additional information and protections as they become available.