Weekly threat roundup: Atlassian, Microsoft Office, Zoho ManageEngine

Graphic showing a red unlocked padlock surrounded by blue locked padlocks
(Image credit: Shutterstock)

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It’s become typical, for example, to expect dozens of patches to be released on Microsoft’s Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

Atlassian Confluence is under attack

US officials have warned businesses that a vulnerability in the Atlassian Confluence workplace collaboration platform is being exploited on a massive scale.

Although Atlassian has issued a patch for the critical flaw tracked as CVE-2021-26084, researchers have detected mass scanning and exploit activity from hackers in a number of regions, including China and Brazil. Atlassian hasn’t revealed the exploit mechanism, although it’s described the flaw as a Confluence Server Websork OGNL injection.

The bug, rated 9.8 out of ten on the CVSS threat severity scale, lies in the Atlassian Confluence Server and Confluence Data Center products and can allow an unauthorised attacker to execute arbitrary code on either. Confluence Cloud, which is hosted on public cloud environments, isn’t affected.

Microsoft users targeted with malicious Office files

Hackers are exploiting a vulnerability in the browser engine that powers Internet Explorer to target Windows users with malicious Microsoft Office documents.

The flaw, tracked as CVE-2021-40444, is a remote code execution zero-day embedded in MSHTML, an engine also known as Trident, and is rated 8.8 out of ten on the CVSS threat severity scale. This bug is under limited and targeted exploitation, according to the firm.

Exploitation involves an attacker crafting a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. These are small programmes for Internet Explorer and other Windows apps used to add more functionality to the core software. Once an attacker’s written the malicious ActiveX control, they would then need to convince a victim to open the malicious file.

HAProxy susceptible to HTTP request smuggling attacks

A critical flaw in HAProxy, a widely-used open source load balancer and proxy server, can be exploited to smuggle HTTP requests. This might lead to hackers accessing sensitive data and launching a variety of attacks, according to researchers with JFrog Security.


Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks


This integer overflow vulnerability, tracked as CVE-2021-40346, exists in HAProxy 2.0 through 2.5 in the htx_add_header() component and can allow an attacker to tamper with the way a site processes a sequence of HTTP requests. This abuses parsing inconsistencies between how front-end and band-end servers process the HTTP requests.

The consequences of a successful attack include gaining access to sensitive data, executing unauthorised commands or modifying data, hijacking user sessions, and exploiting a reflected cross-site scripting (XSS) vulnerability without user interaction.

CISA warns that Zoho ManageEngine is being targeted

The US cybersecurity and infrastructure agency (CISA) has revealed that a zero-day flaw affecting Zoho ManageEngine ADSelfService Plus is being exploited in the wild.

ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) system for Active Directory and cloud applications that allows IT admins to enforce two-factor authentication (2FA) across their systems.

Tracked as CVE-2021-40539, this vulnerability is described as an authentication bypass flaw that can lead to remote code execution. Zoho has described it as a “critical issue”, given that it allows attackers to gain unauthorised access to the product through REST API endpoints by sending a specially crafted request.

Customers can protect themselves against attacks by updating ADSelfService Plus to the latest build, 6114.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.