Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

in regards to Confluence Security Advisory - 2021-08-25

Jason Ferris
Jason Ferris
Contributor
August 25, 2021

Hello,

Quick question. We do do not have this checkbox checked in our Confluence regarding the vulnerability. Does this mean the temporary workaround does not have to be implemented or should it be ran regardless?  We are not able to update Confluence at this time but will in the future here. 

 

Just checking before I shrug this one off. If I need to implement the temporary workaround regardless, I can do that. 

 

Thank you!

Answer
Watch
Like Be the first to like this
635 views

2 answers

1 accepted

1 vote
Answer accepted
Malcolm Ninnes
Malcolm Ninnes
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 25, 2021

Hey there @Jason Ferris 

Atlassian recommends running the workaround script even if 'Allow people to sign up to create their own account' is disabled.  There are several endpoints identified that expose Confluence to CVE-2021-26084, so applying the workaround script will temporarily mitigate against the known vulnerable end points until you can upgrade to a version that fixes this permanently. 

We've reworded the advisory (Confluence Security Advisory CVE-2021-26084 - OGNL injection - 2021-08-25) to remove any ambiguity.  

Hope this helps!

View More Comments
Kian Stack Mumo Systems
Kian Stack Mumo Systems
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
August 26, 2021

Thanks for following up @Malcolm Ninnes!

Like Malcolm Ninnes likes this
Jason Ferris
Jason Ferris
Contributor
August 26, 2021

@Malcolm Ninnes Thank you very much for the confirmation! I will go ahead and implement the workaround. 

Like Malcolm Ninnes likes this
Reply
1 vote
Kian Stack Mumo Systems
Kian Stack Mumo Systems
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
August 25, 2021

My reading of the vulnerability would be that you do not need to worry if the feature is not enabled, but I would double check that before deciding not to upgrade. Several people have asked the same question on this ticket, so I would add yourself as a watcher to see any response from Atlassian. 

View More Comments
Jason Ferris
Jason Ferris
Contributor
August 26, 2021

@Kian Stack Mumo Systems Thank you! Seems like you do have to run workaround even if not checked per Malcolm. 

Like
Vedant Kulkarni_Trundl
Vedant Kulkarni_Trundl
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 7, 2021

@Kian Stack Mumo SystemsDoes this vulnerability issue have an impact on Confluence running behind the VPN? Some of the customers have not exposed their Confluence publicly.

Like
Kian Stack Mumo Systems
Kian Stack Mumo Systems
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
September 7, 2021

@Vedant Kulkarni_Trundl

I would still perform the upgrade. The security vulnerability is less likely to  exploited if your instance is behind a firewall, but it is still a big vulnerability that should be taken care of.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
DEPLOYMENT TYPE
SERVER
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.