Atlassian Confluence Bug Exploited to Hack Jenkins Project’s Server
While the Impacted Server Has Been Taken Offline, Jenkins Is Investigating the Impact of the Attack.
Last updated on September 14, 2021
Over the weekend, the open-source automation server Jenkins announced that cybercriminals exploited a critical vulnerability impacting Atlassian Confluence Server and Data Center to obtain access to one of its internal servers.
At this time, we have no reason to believe that any Jenkins releases, plugins, or source code have been affected.
Jenkins’ inquiry shows that the threat actors managed to exploit CVE-2021-26084 to install a Monero cryptocurrency miner in the container controlling the deprecated Confluence service.
Furthermore, hackers could also leverage the flaw for more destructive attacks.
Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 exploit was used to install what we believe was a Monero miner in the container running the service. From there an attacker would not be able to access much of our other infrastructure.
While Jenkins has no evidence that developer credentials were exfiltrated during the attack, the company is taking measures. They announced that they have reset passwords for all accounts in the integrated identity system.
It also stated that they “are taking actions to prevent releases at this time until we re-establish a chain of trust with our developer community.”
Jenkins claims that its infrastructure team has deactivated the Confluence server for good, rotated privileged credentials, and taken proactive steps to further limit access across their organization.
According to the Atlassian security advisory, CVE-2021-26084 vulnerability impacts Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
The Confluence RCE vulnerability tracked as CVE-2021-26084 is an OGNL injection issue that enables an authenticated user, and in some cases an unauthenticated user, to perform arbitrary code on a Confluence Server or Data Center instance.
On September 3rd, the US Cyber Command (USCYBERCOM) has published a warning encouraging US companies to patch a massively exploited Atlassian Confluence critical flaw as soon as possible.
Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already— this cannot wait until after the weekend.
As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.