Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

URGENT | System infected - CVE-2021-26084 does NOT bring any relieve

Nikolaus Rupp
Nikolaus Rupp September 30, 2021

Hello everybody,

our system has been infected by the

CVE-2021-26084 - Confluence Server Webwork OGNL injection

We have a) updated the Confluence instance to version 7.13.1 (running on Debian), applied the patch and restarted the whole system multiple times.

We still have the same problem. Once Confluence is started, the infected script starts up and prevents Confluence from starting.

Any suggestions as to what we can do?

Answer
Watch
Like Be the first to like this
378 views

2 answers

0 votes
Kishan Sharma
Kishan Sharma
Community Champion
September 30, 2021 edited

Hi @Nikolaus Rupp Welcome to the Atlassian Community!

Since the vulnerability has been already fixed in v7.13.0+ you shouldn't be facing any issues with it. I would advise raising a support ticket to Atlassian Support for immediate attention.

Reply
0 votes
Alexis Robert
Alexis Robert
Community Champion
September 30, 2021

Hi @Nikolaus Rupp , 

 

you will probably need to quarantine the infected server, and move your Confluence installation to a new system. You would have to copy the Confluence folders (installation and home folders), and adapt your configuration if needed.

Or you can get in touch with an antivirus specialist to get rid of the infected script. The patch is not intended to "cure" the system, but only to prevent further infection.

 

Let me know if this helps, 

 

--Alexis

View More Comments
Nikolaus Rupp
Nikolaus Rupp September 30, 2021

Hi @AL

that's basically the worst case szenario I have strongly hoped to be able to avoid.

So you're saying, that I can backup installation and home folders and move to a new server? It was my understanding, that I would (at least) need to backup the confluence mysql db as well!?!?

Furthermore:
I could not find detailed explanation on what the injection actually does. Is it "just" rendering the server useless, or is it actually stealing data from the confluence database?

Thanks in advance

--Niko

Like
bill_bailey
bill_bailey September 30, 2021

I got hit with this under Centos. Cryptominer scum. It chews up your memory and CPU so that your Confluence instance is starved. I was never able to fully remove the threat, but I was able to block the websites it was downloading from, so that I could kill the miner and it would not respawn.

My suggestion is to immediately perform a system backup. And I think it is easier to spin up a new instance and then restore your backup to the new instance.

Good luck.

Like • Kishan Sharma likes this
Nikolaus Rupp
Nikolaus Rupp October 1, 2021

Thanks @bill_baileyfor your input.

However, that does not resolve my problem / question regarding the backup / restore process and its safeliness regarding the injection.

@Alexis RobertCan you help?

Thanks a million in advance.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Champions
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.