US government security experts have urged system administrators to patch two critical flaws in widely used Cisco and Atlassian products, exposing them to compromise.
In a rare move, US Cyber Command took to Twitter before the Labor Day holiday weekend on Friday to address the Atlassian bug.
“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already—this cannot wait until after the weekend,” it warned.
Atlassian issued a patch for the vulnerability in its popular web-based collaboration platform on August 25. The developer said that if exploited, the Open Graph Navigation Library (OGNL) bug would allow an unauthenticated user to execute arbitrary code on a Confluence server or datacenter instance.
OGNL was also exploited by the attackers who breached Equifax in 2018 via Apache Struts 2 vulnerability CVE-2018-11776.
Also, at the end of last week, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging admins to patch a critical vulnerability affecting Cisco Enterprise Network Function Virtualization Infrastructure Software (NFVIS).
Impacting version 4.5.1 of the product, CVE-2021-34746 could allow a remote attacker to take control of an affected system.
“This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script,” Cisco explained.
“An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device.”
There are no workarounds to address the vulnerability, leaving patching as the only option for impacted organizations.
The two alerts came as US government experts warned that ransomware threat actors are increasingly likely to strike ahead of holiday weekends.
Alongside prompt patching, national security advisor, Anne Neuberger, recommended organizations deploy multi-factor authentication, up-to-date backups and strong passwords. She also recommended organizations to review their incident response plans.