Security News > 2021 > September > Jenkins struck by 'Confluenza' as US Cyber Command warns Atlassian flaw 'cannot wait'
The Jenkins team issued a reminder over the weekend that one should keep one's systems patched as it found itself with a compromised Confluence service.
Although the affected instance of Confluence integrated with the company's identity system, the group said: "At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected."
The affected server had been deprecated by the Jenkins team back in 2019, with documentation and changelogs shunted into GitHub.
To the sound of the stable door banging in the breeze, the Jenkins infrastructure team said that the Confluence service had now been permanently disabled, privileged credentials rotated, and potentially affected infrastructure not under its direct management scrutinised.
The attack on the Jenkins Confluence service came as the original security advisory was updated to reflect that the vulnerability was being actively exploited and, worse, that "The vulnerability is exploitable by unauthenticated users regardless of configuration."
Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/09/06/jenkins_confluence_compromised/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-30 | CVE-2021-26084 | Expression Language Injection vulnerability in Atlassian Confluence Data Center and Confluence Server In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. | 9.8 |