Atlassian releases patch for Critical Confluence Zero-Day
Third-party risk management, Access management, Application security
All supported versions of Confluence Server and Data Center are affected
Mihir Bagwe (MihirBagwe) •
June 4, 2022
Atlassian released a patch for its Confluence workspace collaboration tool, which is targeted in the wild with a zero-day vulnerability that gives attackers unauthenticated remote code execution privileges. The vulnerability, tracked as CVE-2022-26134, has a CVSS score of 10 out of 10 for criticality.
See also: Live Roundtable I Safety First: Preparing for Cybersecurity in a Changing World
“All supported versions of Confluence Server and Data Center are affected,” reports Atlassian. And the vulnerability exists in all versions after 1.3.0, according to its updated security advisory.
Researchers at Volexity, the cybersecurity company that reported the zero-day to Atlassian, recommended Confluence users in their security blog post to “immediately” apply patches as soon as they become available, “because this vulnerability is dangerous and trivially exploited”.
The US Cybersecurity and Infrastructure Security Agency, which has already added CVE-2022-26134 to its catalog of known exploited vulnerabilities, has asked all federal agencies to immediately block all Internet traffic to and from Confluence Server products. and Atlassian Data Center which are in their respective zones. the use of agencies. Additionally, it ordered federal agencies “either to apply the software update to all affected instances or remove the affected products by 5 p.m. ET on Monday, June 6, 2022.”
Affected and fixed versions
The vulnerability affects all supported versions of Atlassian’s Confluence Server and Data Center products. But on an issue tracking page, Atlassian provides detailed information about these releases and the corresponding fixes made available:
“The versions affected are 1.3.0 before 7.4.17, 7.13.0 before 7.13.7, 7.14.0 before 7.14.3, 7.15.0 before 7.15.2, 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.”
So, the fixed versions are 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1, which should be updated immediately, according to Atlassian.
Atlassian also notes that the vulnerability only affects the above products and their respective versions and that Atlassian Cloud sites are still secure. “If your Confluence site is accessible via an Atlassian[.]net, it is hosted by Atlassian and is not vulnerable. Our investigations found no evidence of Atlassian Cloud exploitation.”
If users are unable to upgrade Confluence immediately, Atlassian has provided version-specific workarounds for CVE-2022-26134 which can be found in their updated security advisory.
Learn more about the vulnerability
In its initial security advisory, Atlassian did not disclose any further details about the vulnerability other than that it is an RCE bug, adding that “further details about the vulnerability are withheld until further notice. until a fix is available”. Atlassian has now released more details about CVE-2022-26134 via the issue tracker page.
Atlassian confirms this to be an Object-Graph Navigation Language injection vulnerability that allows an unauthenticated attacker to execute arbitrary code on an affected version of Confluence Server or Data Center instance. data.
OGNL is an open source expression language for Java objects. It enables the evaluation of EL expressions in Apache Struts, which is the commonly used development framework for Java-based web applications in enterprise environments, according to Contrast Security, an application security vendor.
He adds that “OGNL is infamous for associated vulnerabilities found in the Struts 2 framework which depends on it. Because OGNL has the ability to create or modify executable code, it is also capable of introducing critical security vulnerabilities. in any framework that uses it. For example, it is possible for the attacker to inject OGNL expressions (which can execute arbitrary malicious Java code), when an OGNL expression injection vulnerability is present.”
Additionally, this is a critically rated vulnerability because it has very low-level attack complexity with no privileges or user interaction required for its exploitation, notes Mark Adams, Engineering Manager for Security. products at Atlassian, in the vulnerability issue tracking page.
Volexity researchers have found several new sightings since publishing their first security blog on Thursday.
While not sharing proof-of-concept code for the vulnerability, the researchers have released additional details about post-exploitation activity. This includes the commands executed by the attacker on the victim’s system that the researchers analyzed and other details about malicious implants like BEHINDER, File Downloader Web Shell and China Chopper Webshell.
Regarding the commands executed, Veloxity researchers observed the following attacker activity on the victim’s system:
- Executed discovery commands to verify the operating system version and examined the contents of
- Checking Confluence local database and dumping Confluence user tables;
- Modifying web access logs for the purpose of hindering forensic investigations and suppressing evidence of exploitation;
- Wrote additional webshells to disk, but not all of them could be recovered, researchers say.
Steven Adair, President of Volexity, also added to the list of new sightings in a lengthy Tweet thread, where his first sighting relates to the targeted sectors, which he says are not specific but “widespread”, and yet appear to be a “coordinated” one.
It is clear that multiple threat groups and individual actors own the exploit and use it in different ways. Some are quite sloppy and others are a little more stealthy. Loading class files into memory and writing JSP shells are the most popular we’ve seen so far.
—Steven Adair (@stevenadair) June 3, 2022
Adair continues that “it is clear that multiple threat groups and individual actors own the exploit and use it in different ways.” But some of them were reckless while others were a little more “stealthy”, he adds.
Of these, Adair notes that “loading class files into memory and writing JSP shells are the most popular [ones]”, and the workaround for that, he says, is to monitor JSP files other than those listed in the tweet below:
Everyone’s configuration may be different, but Confluence largely only has these JSP files:
Look for unlisted files.
—Steven Adair (@stevenadair) June 3, 2022
“Everyone’s setup may be different, but Confluence largely only has these JSP files,” which makes it easier to monitor for anomalies, according to Adair. Apart from that, Adair citing the findings of Sean Koessel, co-founder of Volexity, in several cases suggests to “seek
".java" files in the
./confluence/org/apache/jsp/ directory that shouldn’t be there. “You may also find a webshell or backdoor here from a .jsp file that has already been deleted,” Adair says.