Log in
Show password
Forgot password ?
Become a member for free
Sign up
Sign up
New member
Sign up for FREE
New customer
Discover our services
Dynamic quotes 
  1. Homepage
  2. Equities
  3. Canada
  4. Toronto Stock Exchange
  5. BlackBerry Limited
  6. News
  7. Summary
    BB   CA09228F1036


SummaryMost relevantAll NewsAnalyst Reco.Other languagesPress ReleasesOfficial PublicationsSector newsMarketScreener Strategies

Red Team: An Offensive Perspective on the Confluence Vulnerability (CVE-2021-26084)

09/14/2021 | 11:52am EDT
Red Team: An Offensive Perspective on the Confluence Vulnerability (CVE-2021-26084)

The BlackBerry® Incident Response team recently covered the most common attacker tactics, techniques, and procedures (TTPs) for the recently disclosed Confluence Server and Data Center vulnerability (CVE-2021-26084) in our Blue Team defensive perspective article.

In this article, we'll examine how this vulnerability is viewed from an offensive perspective, so you can discover and properly convey the risk within your environment. (As a quick reminder: You should only test your own systems after obtaining sufficient permission!)

The techniques covered below are useful in discovering unknown systems that could be affected. If you have a known affected system, such as in the case of an active threat actor breach, we recommend checking for signs of exploit before performing any of the discovery and validation steps below.

Discovery and Identification

In an ideal world, everyone would know every asset in their environment, along with the OS and application versions for everything running. But our environments are dynamic, and employees can stand up hosts and software - such as Confluence servers - without proper approval or documentation. We will cover a few of the potential methods to discover and identify these potentially vulnerable devices.

Version Information

The Confluence version can be found in multiple ways. The easiest method is to simply browse to the Confluence main page (Figure 1).

Figure 1: Version disclosure on the main page (Confluence 7.12.0)

Vulnerability Scanning

We are not promoting any specific vulnerability scanners; however there are at least three with plugins that can be used to discover Confluence servers and check for the presence of CVE-2021-26084:

  • Tenable Nessus (Plugin ID: 152864)
  • Rapid7 - InsightVM and Nexpose customers are covered in the Aug. 26, 2021, content release
  • Qualys - Local check (Qualys ID: 375839) and Remote check (Qualys ID: 730172)

Qualys has also provided a description for how the plugins function. You could also script these checks if you need a low-tech, inexpensive discovery method.

The local Qualys checks for the vulnerable version of the Confluence Server searches for the presence of the following registry key:

  • 32-bit: 'HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall'
  • 64-bit: 'HKLMSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionUninstall'

The remote Qualys check tries two different unauthenticated methods:

1. It sends a crafted HTTP POST request to 'pages/createpage-entervariables.action' and/or 'pages/doenterpagevariables.action' to check if the target is vulnerable.

2. If the aforementioned technique doesn't work, it checks for the vulnerable version of Atlassian Confluence using a GET request to the login.action page.


To manually confirm whether the Confluence Server is vulnerable, send a POST request using curl to the /pages/createpage-entervariables.action page. The following example sends 'queryString=vulnerable' to the server. If the string is reflected in the response page, then the application is vulnerable to CVE-2021-26084 (see Figure 2).

curl -k -X $'POST' -H $'Host:' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0' -H $'Accept: */*' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 22' -H $'Origin:' -H $'Connection: close' --data-binary $'queryString=vulnerable' $'' --trace-ascii - -s | grep query

Figure 2: Reflected response from Confluence


As of Sept. 8, 2021, a Metasploit module was available to detect and exploit vulnerable Confluence servers. To perform this, grab the latest Metasploit version that includes the 'atlassian_confluence_webwork_ognl_injection' module. Start msfconsole and use the commands below to load the exploit and to set the local and remote addresses. The default shell is a reverse bash shell, which is demonstrated in the following:

use exploit/linux/http/atlassian_confluence_webwork_ognl_injection



If successful, you will gain a shell under the context of the Confluence user (Figure 3).

Figure 3: Exploitation using the Metasploit module, gaining access as the Confluence Server user

Once a shell is gained on the server, post-exploitation is limited only by the attacker's imagination. Report this finding immediately, then move to secure this host using the recommendations in the next section.

Actions to Take

After obtaining the version number of your Confluence Server or Data Center, check this list to see if you have an on-premise, affected version of the software. If you are running an affected version, the next step is to upgrade to a fixed version, if you're able to do so. If you are not able to upgrade, implement the temporary workaround supplied by Atlassian.

Finally, it's critical to check for signs of compromise on the Confluence host and surrounding environment. We listed some of the attacker techniques in the previous Blue Team defensive perspective article that should be detected if compromise has occurred.

Check the entire file system for any signs of web shells. Note that attackers can use very small web shells such as China Chopper, which can time-match itself to surrounding files to blend in and avoid detection.

Once you have confirmed the vulnerability (possibly using the methods above) and neutralized it, use the experience to convey the importance of security within your organization. There are plenty of security initiatives that can help mitigate the risk of these vulnerabilities, such as the following:

  • Asset management
  • Vulnerability management
    • Scanning
    • Tracking to remediation
    • Confirmation of remediation
  • Endpoint Protection (EPP) software
  • Endpoint Detection and Response (EDR) software
  • Centralized log collection and correlation

The ability to detect, mitigate, and prevent should be top of mind for all organizations.

BlackBerry Cyber Suite and BlackBerry Guard stop these attacks

If in doubt regarding any of the steps in this article, call in the experts at BlackBerry to perform a Red Team assessment or forensic analysis, or to conduct a compromise assessment. BlackBerry customers can feel confident that our AI-driven BlackBerry® Cyber Suite, as well as our Managed Detection & Response (MDR) solution BlackBerry® Guard, are well-equipped to mitigate the risks posed by these continued external-facing vulnerabilities.

Core technology includes:

  • BlackBerry® Protect provides automated malware prevention, application and script control, memory protection, and device policy enforcement.
  • BlackBerry® Optics extends the threat prevention by using BlackBerry Optics Context Analysis Engine (CAE) rules to provide additional telemetry. The following rules were effective at identifying exploitation of the vulnerability:
    • Certutil Abuse
    • Powershell Download
    • Powershell Encoded Command
    • One-Liner ML Module
    • Account Discovery
Victim of an Attack?

In the unfortunate event that it is too late for prevention and you believe you have already been the victim of an attack, please contact us, regardless of your existing BlackBerry relationship.

The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.

About Tony Lee

Vice President, Global Services Technical Operations, BlackBerry

Tony Lee has more than fifteen years of professional research and consulting experience pursuing his passion in all areas of information security.

As an avid educator, Tony has instructed thousands of students at many venues worldwide, including government, universities, corporations, and conferences such as Black Hat. He takes every opportunity to share knowledge as a contributing author to Hacking Exposed 7, and is also a frequent blogger, researcher, and author of white papers on topics ranging from Citrix Security, the China Chopper Web shell, and Cisco's SYNFul Knock router implant.

Over the years, he has contributed many tools to the security community such as UnBup, Forensic Investigator Splunk app, and CyBot, the extensible Threat Intelligence Bot framework designed for anyone from a home user to a SOC analyst.

About Brent Nicorvo

Senior Manager of Professional Services Consulting (Red Team), BlackBerry.



BlackBerry Ltd. published this content on 14 September 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 14 September 2021 15:51:05 UTC.

ę Publicnow 2021
10/15SOCIAL BUZZ : Wallstreetbets Move Higher, While Virgin Galactic, Corsair Gaming Decline
10/15BLACKBERRY : Shines Spotlight on Evolving Cobalt Strike Threat in New Book
10/15BLACKBERRY : Announces XDR Ecosystem Partners Okta, Mimecast, Stellar Cyber and XM Cyber
10/14SOCIAL BUZZ : Ocugen, AMC, BlackBerry Top WallstreetBets Stock Gainers at Thursday Close
10/14SOCIAL BUZZ : BlackBerry Seeing Late Day Strength
10/14SOCIAL BUZZ : Wallstreetbets Stocks Mostly Trend Higher; SoFi Technologies, Plug Power in ..
10/13BLACKBERRY : Toronto market notches 4-week high as U.S. inflation heats up
10/13SOCIAL BUZZ : Wallstreetbets Stocks BlackBerry, GameStop, Alibaba Move Higher; SmileDirect..
More news
Analyst Recommendations on BLACKBERRY LIMITED
More recommendations
Financials (USD)
Sales 2022 726 M - -
Net income 2022 -371 M - -
Net Debt 2022 408 M - -
P/E ratio 2022 -15,9x
Yield 2022 -
Capitalization 5 878 M 5 881 M -
EV / Sales 2022 8,66x
EV / Sales 2023 7,04x
Nbr of Employees 3 497
Free-Float 98,5%
Duration : Period :
BlackBerry Limited Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends BLACKBERRY LIMITED
Short TermMid-TermLong Term
Income Statement Evolution
Mean consensus SELL
Number of Analysts 9
Last Close Price 10,37 $
Average target price 6,10 $
Spread / Average Target -41,1%
EPS Revisions
Managers and Directors
John S. Chen Executive Chairman & Chief Executive Officer
Steve Rai Chief Financial Officer
Charles Eagan Chief Technology Officer
Christopher Hummel Chief Information Officer
Randall Cook Secretary, Chief Legal, Compliance & Risk Officer
Sector and Competitors
1st jan.Capi. (M$)
SEA LIMITED78.10%195 739