The open source automation server Jenkins has disclosed a successful attack on its Confluence service.
Attackers abused an Open Graph Navigation Library (OGNL) injection flaw – the same vulnerability type involved in the notorious 2017 Equifax hack – capable of leading to remote code execution (RCE) in Confluence Server and Data Center instances.
Rated CVSS 9.8, the bug (CVE-2021-26084) was disclosed in a Confluence security advisory published on August 25, The Daily Swig reports.
David Kennefick, product architect at Edgescan, explained: “This used to be a much larger problem than today. Transitioning towards the cloud version of Confluence has certainly helped organisations be more aware of their exposures. Having said that this is something we still sporadically see in the wild.”
“We had one instance where a private Confluence instance was open and available unauthenticated, nobody within the customer organisation realised this until our testers pointed it out. As SSO was implemented they has assumed that SSO had seamlessly happened and didn’t take any notice. While not complacent, organisations need to have smoke tests in place to make sure potentially sensitive resources are not open to the whole internet,” he added.
In a blog post, Jenkins has stated:
Earlier this week the Jenkins infrastructure team identified a successful attack against our deprecated Confluence service. We responded immediately by taking the affected server offline while we investigated the potential impact. At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected.
Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 exploit was used to install what we believe was a Monero miner in the container running the service. From there an attacker would not be able to access much of our other infrastructure. Confluence did integrate with our integrated identity system which also powers Jira, Artifactory, and numerous other services.
The trust and security in Jenkins core and plugin releases is our highest priority. We do not have any indication that developer credentials were exfiltrated during the attack. At the moment we cannot assert otherwise and are therefore assuming the worst. We are taking actions to prevent releases at this time until we re-establish a chain of trust with our developer community. We have reset passwords for all accounts in our integrated identity system. We are improving the password reset system as part of this effort.
At this time, the Jenkins infrastructure team has permanently disabled the Confluence service, rotated privileged credentials, and taken proactive measures to further reduce the scope of access across our infrastructure. We are working closely with our colleagues at the Linux Foundation and the Continuous Delivery Foundation to ensure that infrastructure which is not directly managed by the Jenkins project is also scrutinized.
