Last updated 2021-09-10 UTC 11:55


On August 25, 2021, Atlassian released a security advisory detailing a vulnerability in their on-premises Confluence Server and Confluence Data Center products.

The advisory contained instructions to immediately upgrade to resolve the vulnerability. If a system is unpatched, the vulnerability could be exploited by threat actors to bypass authentication allowing them to take over unpatched systems.

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on September 3, 2021, to warn of active exploitation of the vulnerability by threat actors.  

The vulnerability exists in Confluence’s use of OGNL (Object-Graph Navigation Language), a scripting language for interacting with Java code, in the tag system. The vulnerability enables arbitrary injection of OGNL code which can be used to achieve remote and arbitrary code execution. Proof of Concept exploit code was made publicly available on September 1, 2021, arming threat actors with an easy method to exploit and study this vulnerability. As a result, the vulnerability was assigned a severity score of 9.8 out of a maximum of 10.

Sophos recommends that you follow the steps detailed in the Atlassian security advisory to address or remediate the issue.


Sophos Protections

The Sophos Managed Threat Response (MTR) team immediately began to hunt and investigate in MTR customer environments to determine if any activity was related this vulnerability. Additionally, they looked to uncover any new artefacts (e.g. IOCs) related to the attack that could provide further protection for all Sophos customers. 

SophosLabs has detections in place for all Sophos customers for the common payloads seen so far.

If you are a Sophos XDR customer, this XDR query will help you determine whether you are running the patched versions of the Atlassian products or not. 

IPS Signatures have been published:

  • XG Firewall: 58093 and 58094
  • SG UTM: 58093 and 58094
  • Endpoint: 2306027

More information


Change Log

  • 2021-09-06 UTC 16:44 Initial publication
  • 2021-09-07 UTC 09:18 Minor wording changes
  • 2021-09-07 UTC 13:25 Added link to XDR Query
  • 2021-09-07 UTC 13:40 Added IPS details
  • 2021-09-08 UTC 08:35 Added SG UTM IPS details
  • 2021-09-10 UTC 11:55 Added Endpoint IPS details