The Jenkins team issued a reminder over the weekend that one should keep one’s systems patched as it found itself with a compromised Confluence service.
Although the affected instance of Confluence integrated with the company’s identity system (which also handles the likes of Jira and Artifactory), the group said: “At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected.”
It is, however, a bit alarming. Atlassian warned users of the injection vulnerability back in August. While the cloud-hosted version of Confluence was not affected, a server or data centre instance most definitely was. Things have escalated somewhat since then.
The affected server had been deprecated by the Jenkins team back in 2019, with documentation and changelogs shunted into GitHub. That said, although it looks like the exploit was used to install a Monero miner in the container running the service, the team has assumed the worst. It did, however, say: “We do not have any indication that developer credentials were exfiltrated during the attack.”
To the sound of the stable door banging in the breeze, the Jenkins infrastructure team said that the Confluence service had now been permanently disabled, privileged credentials rotated, and potentially affected infrastructure not under its direct management scrutinised.
The attack on the Jenkins Confluence service came as the original security advisory was updated to reflect that the vulnerability was being actively exploited and, worse, that “the vulnerability is exploitable by unauthenticated users regardless of configuration.”
Yikes.
Dubbed “Confluenza”, there remain an awful lot of vulnerable servers still exposed. The figure is, however, dropping rapidly. Researchers at Censys blogged that the company had 14,637 exposed servers in its historical data. That number dropped to 11,689 by 2 September and fell further to 8,597 by the weekend as administrators worked to either yank afflicted servers off the internet or apply Atlassian’s patches.
The seriousness of the situation was underlined by the US Cyber National Mission Force. ®
Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already— this cannot wait until after the weekend.
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) September 3, 2021