Are you in the loop? Keep up with the latest by making sure you're subscribed to Community Announcements. Just click Watch and select Articles.

×
Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Security Advisory for Confluence Server and Data Center, August 2021

This article is for a critical security vulnerability that exists in Confluence Server and Confluence Data Center.

We recommend that you upgrade to a fixed version as soon as possible to ensure that you are not affected. If you are unable to upgrade Confluence immediately, then apply the temporary workaround as mentioned in the advisory. Please see the full advisory to learn more and access the fixed versions:

If you have questions related to the advisory, upgrades, or migrations, please ask a new question here on Community. Please mention your question relates to CVE-2021-26084. Alternatively, you may comment on this article and we will convert your post to a question in order to best help you get an answer.

2 comments

We're running Confluence Server 7.4.9 and our [gear] -> User management page doesn't have anything about user signup options. There is no 'Allow people to sign up to create their account' setting on that page. 

Is there somewhere else we should be looking for this setting?

Malcolm Ninnes
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Aug 25, 2021

Hi @Colin Murtaugh

If you're running Confluence Server 7.4.9 then you're vulnerable to the issue outlined in the advisory, regardless of whether you allow people to signup to create their own account or not.

We've reworded the advisory (Confluence Security Advisory CVE-2021-26084 - OGNL injection - 2021-08-25) in the last few hours to remove any ambiguity regarding the user signup settings.  Regardless of that setting, Confluence 7.4.9 is still vulnerable via other endpoints.

As such, Atlassian recommends running the workaround/mitigation script even if 'Allow people to sign up to create their own account' is disabled.  There are several endpoints identified that expose Confluence to CVE-2021-26084, so applying the workaround script will temporarily mitigate against the known vulnerable end points until you can upgrade to a version that fixes this permanently.  In your case, upgrading to 7.4.11 is probably the easiest.  The issue is fixed in 7.4.11.

Hope this helps!

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events