Flash Notice Update 6/6/2022: CRITICAL CONFLUENCE ZERO-DAY VULNERABILITY EXPLOITED BY ATTACKERS
Over the weekend, a proof-of-concept (POC) for the critical Atlassian Confluence vulnerability (CVE-2022-26134) was released, sparking a slew of exploit attempts. According to the cyber security firm, GreyNoise, since the POC was released, the number of unique IP addresses with successful exploit attempts has gone from zero to 727.
Atlassian has since released a patch for the vulnerability - an OGNL injection vulnerability that allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. The patch addresses the following released versions:
Atlassian recommends that you patch all Confluence and Data Center servers immediately by following their instructions, which you can find here. If you are unable to patch your servers, Atlassian has issued mitigations for Confluence 7.0.0 through version 7.18.0, which you can find here.
A critical unpatched remote code execution vulnerability was found in Atlassian’s Confluence Server and Data Center products. CVE-2022-26134 is actively being exploited by attackers and affects all supported versions of Confluence Server and Data Center products.
According to Atlassian, CVE-2022-26134 is a command injection vulnerability that allows attackers to achieve unauthenticated remote code execution on the server, while also allowing them to use the foothold to drop the Behinder webshell.
CVE-2022-26134 was detected by Volexity (an Australian software company) over Memorial Day weekend within the U.S. The vulnerability was found during an incident response investigation including two internet-facing web servers belonging to their customers. Volexity stated that after the attacker successfully exploits the Confluence Server systems, they deploy a memory copy of the Behinder implant – a popular web server implant with source code available on GitHub. The implant includes memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike.
Volexity further stated that in addition to deploying Behinder, the attacker added backup mechanisms to make sure they retained access to the Confluence server system just in case it was later cleaned up. Atlassian expects a fix to be available for customer download within 24 hours – end of day on June 3, 2022. In the interim, Atlassian is asking customers to work with their security teams to consider the best course of action, including:
Atlassian is unsure of the earliest affected versions of Confluence Server and Data Center and there is no patch available. However, Atlassian stated they are making it their highest priority to issue a fix for the vulnerability.
If you can’t do the above, Atlassian recommends implementing their temporary mitigations. Researchers suspect that CVE-2022-26134 is being used by multiple threat actors whose country of origin is more than likely China. By exploiting the vulnerability, attackers can gain access to sensitive information on networks and systems. If your organization uses Atlassian’s Confluence Server and Data Center Products, please follow the below mitigations to keep your organization safe.
Related Reading: API Attacks & Best Practices