CVE-2021-26084 漏洞

8月25日, Atlassian官方披露了一个关于Confluence 的一个高危漏洞, OGNI注入漏洞, 此漏洞允许经过身份验证或在某些情况下未授权的攻击者在Confluence Server或Data Center实例上执行任意代码

几乎影响所有Confluence的所有版本

描述

CVE-2021-26084 - Confluence Server Webwork OGNL 注入

公布时间

2021年8月25日

涉及产品

  • Confluence Server

  • Confluence Data Center

Confluence Cloud 不受影响

影响的版本

  • All 4.x.x versions
  • All 5.x.x versions
  • All 6.0.x versions
  • All 6.1.x versions
  • All 6.2.x versions
  • All 6.3.x versions
  • All 6.4.x versions
  • All 6.5.x versions
  • All 6.6.x versions 
  • All 6.7.x versions
  • All 6.8.x versions
  • All 6.9.x versions
  • All 6.10.x versions
  • All 6.11.x versions
  • All 6.12.x versions 
  • All 6.13.x versions before 6.13.23
  • All 6.14.x versions 
  • All 6.15.x versions 
  • All 7.0.x versions
  • All 7.1.x versions
  • All 7.2.x versions
  • All 7.3.x versions
  • All 7.4.x versions before 7.4.11
  • All 7.5.x versions
  • All 7.6.x versions 
  • All 7.7.x versions
  • All 7.8.x versions
  • All 7.9.x versions
  • All 7.10.x versions
  • All 7.11.x versions before 7.11.6
  • All 7.12.x versions before 7.12.5

修复版本

  • 6.13.23
  • 7.4.11
  • 7.11.6
  • 7.12.5
  • 7.13.0

CVE ID(s)

CVE-2021-26084


Atlassian 关于此漏洞的信息

升级修复

升级到上述修复版本,这个没有什么好说的,有条件的用户请尽快升级

不升级修复

因为种种原因,有些不能或不方便 升级的,Atlassian给出了修复脚本

这个脚本主要是修改源代码中可以避开漏洞的5个文件,下载运行修复脚本也可以避开这个漏洞,具体方式分为 Linux和Windows系统

linux系统修复

  1. 下载 cve-2021-26084-update.sh  脚本到confluence服务器上

  2. 打开脚本,把 INSTALLATION_DIRECTORY 设置为Confluence安装路径,然后保存文件, 如

    INSTALLATION_DIRECTORY=/opt/atlassian/confluence
    CODE

  3. 修改脚本属性为可执行

    chmod +x cve-2021-26084-update.sh
    CODE

  4. 查看Confluence 安装目录的用户权限,默认为conflucne用户,要在这个用户下执行代码 , 切换到这个用户

    chmod +# 查看Confluence安装目录下的文件权限
$ ls -l /opt/atlassian/confluence | grep bin
drwxr-xr-x 3 confluence confluence 4096 Aug 18 17:07 bin

# 得到用户是 confluence 切换到改用户下
$ sudo su - confluence
    CODE

  5. 运行修复脚本

    ./cve-2021-26084-update.sh
    CODE

  6. 显示Updated Completed 即修复脚本运行成功

  7. 重启Confluence生效


附:脚本的的运行结果

[confluence@devpod-web cve-2021-26084-fix]$ ./cve-2021-26084-update.sh
chdir '/opt/atlassian/confluence'

File 1: 'confluence/users/user-dark-features.vm':
   a. backing up file.. done
   b. updating file.. done
   c. showing file changes..
70c70
<             #tag( "Component" "label='Enable dark feature:'" "name='featureKey'" "value='$!action.featureKey'" "theme='aui'" "template='text.vm'")
---
>             #tag( "Component" "label='Enable dark feature:'" "name='featureKey'" "value=featureKey" "theme='aui'" "template='text.vm'")
   d. validating file changes.. ok
   e. file updated successfully!

File 2: 'confluence/login.vm':
   a. backing up file.. done
   b. updating file.. done
   c. showing file changes..
147c147
<                         #tag( "Hidden" "name='token'" "value='$!action.token'" )
---
>                         #tag( "Hidden" "name='token'" "value=token" )
   d. validating file changes.. ok
   e. file updated successfully!

File 3: 'confluence/pages/createpage-entervariables.vm':
   a. backing up file.. done
   b. updating file.. done
   c. showing file changes..
24c24
<                 #tag ("Hidden" "name='queryString'" "value='$!queryString'")
---
>                 #tag ("Hidden" "name='queryString'" "value=queryString")
26c26
<                 #tag ("Hidden" "name='linkCreation'" "value='$linkCreation'")
---
>                 #tag ("Hidden" "name='linkCreation'" "value=linkCreation")
   d. validating file changes..ok
   e. file updated successfully!

File 4: 'confluence/template/custom/content-editor.vm':
   a. backing up file.. done
   b. updating file.. done
   c. showing file changes..
64c64
<         #tag ("Hidden" "name='queryString'" "value='$!queryString'")
---
>         #tag ("Hidden" "name='queryString'" "value=queryString")
85c85
<             #tag ("Hidden" "id=sourceTemplateId" "name='sourceTemplateId'" "value='${templateId}'")
---
>             #tag ("Hidden" "id=sourceTemplateId" "name='sourceTemplateId'" "value=templateId")
   d. file updated successfully!

File 5: 'confluence/WEB-INF/atlassian-bundled-plugins/confluence-editor-loader*.jar':
   a. extracting templates/editor-preload-container.vm from confluence/WEB-INF/atlassian-bundled-plugins/confluence-editor-loader-7.12.3.jar..
Archive:  confluence/WEB-INF/atlassian-bundled-plugins/confluence-editor-loader-7.12.3.jar
  inflating: ./templates/editor-preload-container.vm
   b. updating file.. done
   c. showing file changes..
56c56
< #tag ("Hidden" "id=syncRev" "name='syncRev'" "value='$!{action.syncRev}'")
---
> #tag ("Hidden" "id=syncRev" "name='syncRev'" "value=syncRev")
   d. validating file changes.. ok
   e. updating confluence/WEB-INF/atlassian-bundled-plugins/confluence-editor-loader-7.12.3.jar with ./templates/editor-preload-container.vm..updating: templates/editor-preload-container.vm (deflated 59%)
-rw-r--r-- 1 confluence confluence 13369 Aug 27 13:57 confluence/WEB-INF/atlassian-bundled-plugins/confluence-editor-loader-7.12.3.jar
   f. cleaning up temp files..ok
   g. extracting templates/editor-preload-container.vm from confluence/WEB-INF/atlassian-bundled-plugins/confluence-editor-loader-7.12.3.jar again to check changes within JAR..
Archive:  confluence/WEB-INF/atlassian-bundled-plugins/confluence-editor-loader-7.12.3.jar
  inflating: ./templates/editor-preload-container.vm
   h. validating file changes for file within updated JAR.. ok
   i. cleaning up temp files..ok

Update completed!
BASH

Window系统修复

  1. 下载 cve-2021-26084-update.ps1 到服务器上

  2. 打开脚本,把 INSTALLATION_DIRECTORY 设置为Confluence安装路径,然后保存文件。 如

    $INSTALLATION_DIRECTORY='C:\Program Files\Atlassian\Confluence'
    CODE

  3. 打开  PowerShell(以管理员身份运行),执行修复脚本

    Get-Content .\cve-2021-26084-update.ps1 | powershell.exe -noprofile -
    CODE

  4. 显示Updated Completed 即修复脚本运行成功

  5. 重启Confluence生效