My self hosted xwiki instance (on ubuntu 20.04) was attacked by C3RB3R ransomware and all files were encrypted and .LOCK3D postfix added to those files. I wonder how they could get in. I have found out that there was a critical issue with atlassian servers that could be exploited (using some java component). I wonder if that applies to xwiki, or if someone has experienced something similar.
It’s not very clear what is the root cause of this vulnerability, but my understanding is that it seems to be very specific to Confluence, so I don’t really see how XWiki could have the same problem.
Only XWiki data files we encrypted, or the whole server ?
There has been a critical issue with XWiki: Loading... - fixed in XWiki 15.10.x (and 16.x, and 14.10.20).
This allowed to run commands on the server as the same user the servlet container is running on. It should not be able to encrypt other files not writable by that user, but maybe that security issue has been used to install further malware that exploited another vulnerability of the OS to get more access.