Finding Confluence servers with Rumble

September 9, 2021, by

Pearce Barry

The U.S. Cyber Command recently reported “mass exploitation” of a code execution vulnerability in Atlassian’s popular Confluence software (CVE-2021-26084). This vulnerability has a CVSS Base score of 9.8 (considered “critical”), requires no authentication for exploitation, and affects many on-prem versions of the product (Atlassian says that Confluence Cloud customers are not affected). Public reports of exploitation are surfacing, including a Confluence instance of the Jenkins project compromised for cryptomining purposes.

Atlassian has provided fixed versions that on-prem Confluence admins should upgrade to as soon as possible, as well as mitigations for those who cannot upgrade immediately. As an aside, there have been some interesting events around the leaking of a private exploit PoC during disclosure with a vulnerable party.

Finding Confluence servers with Rumble

From the Services Inventory, use the following pre-built query to locate systems in your network that are running Confluence:

_asset.protocol:http AND has:http.head.xConfluenceRequestTime
Find Confluence servers

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Try Rumble

Don’t have Rumble and need help finding your Confluence servers? Start your Rumble trial today.

Similar Content

August 25, 2021

Finding Fortinet web application firewall devices with Rumble

Recently published security research from Rapid7 provides details on an OS command injection vulnerability in Fortinet’s web application firewall (WAF) product line known as FortiWeb. This vulnerability exists in the FortiWeb management interface (versions 6.3.11 and prior) …

Read More

July 15, 2021

How to find SolarWinds Serv-U systems on your network

Microsoft recently notified SolarWinds that they had discovered a remote code execution vulnerability in Serv-U Managed File Transfer and Serv-U Secure FTP. The vulnerability being exploited is CVE-2021-35211 and only exists when SSH is enabled in Serv-U environments. …

Read More

May 4, 2021

How to find Exim mail servers on your network

In their security advisory for 21Nails, the Qualys Research team communicated their discovery of several critical vulnerabilities in Exim mail servers that can be exploited for unauthenticated code execution and root privileges. Recently, maintainers of the Exim mail server …

Read More