[German]Security researchers from Volexity discovered a 0-day vulnerability (CVE-2022-26134) in Atlassian Confluence software over the weekend. This vulnerability is being actively exploited – this is what brought the issue to the attention of the security researchers. Currently, the urgent advice to administrators responsible for maintaining Atlassian Confluence software (server, data center) is to ensure that this product is not accessible via the Internet – or, if in doubt, shutdown the server. Addendum: A fix is available. And there is now a public exploit.
Advertising
I became aware of the issue overnight via the following tweet, which was made public by Volexity in the blog post Zero-Day Exploitation of Atlassian Confluence, dated June 2, 2022.
Webserver attacked
Volexity security researchers were forced to conduct an incident response investigation on two Internet-connected web servers of one of its clients over the US Memorial Day weekend. Both web servers were running Atlassian Confluence Server software. The investigation was triggered by suspicious activity on the hosts, such as webshells being written to disk from JSP.
An initial scan of one of the Confluence Server systems quickly revealed that a JSP file had been written to a publicly accessible web directory. The file was a known copy of the JSP variant of the China Chopper webshell. However, a review of the web logs revealed that the file had hardly been accessed. The webshell appears to have been written as a means of secondary access.
Volexity deployed its Volexity Surge Collect Pro solution to copy system memory and key files from Confluence Server systems for analysis. After a thorough review of the collected data, Volexity was able to determine that the compromise of the server originated from an attacker. The attacker used an exploit to achieve remote code execution. Volexity was subsequently able to recreate this exploit and identify a zero-day vulnerability that impacts current versions of Confluence Server.
Advertising
No patch available for CVE-2022-26134
Following the discovery and review of this vulnerability, Volexity contacted Atlassian to report the relevant details on May 31, 2022. Atlassian has since confirmed the CVE-2022-26134 vulnerability in Confluence Security Advisory 2022-06-02. There, the CVE-2022-26134 vulnerability is rated with a critical severity and affects an unauthenticated remote code execution vulnerability in Confluence Server and Data Center.
At this time, Confluence confirms that all supported versions of Confluence Server and Data Center are affected. It is likely that all versions of Confluence Server and Data Center are affected. However, investigations are still ongoing here.
The vendor is actively working on appropriate security updates. As there is currently no patch or fix for this vulnerability, Volexity strongly recommends that all organizations immediately block external access to their Confluence Server instances until an update is provided by Atlassian. For more details, see Confluence Security Advisory 2022-06-02 nd the Volexity blog post Zero-Day Exploitation of Atlassian Confluence.
Addendum: On Twitter somebody pointed out some Sigma rules to detect exploitations.
Addendum 1: A fix is now available, see 0-day vulnerability CVE-2022-26134 in Atlassian Confluence Server fixed.
Similar articles
Atlassian: Jira-/Confluence outage affects customers since April 5, 202
Atlassian has fixed the Jira/Confluence outage and data loss
Mass Scanning and Attacks on Confluence Enterprise Server
Atlassian vulnerability allows account takeover
Advertising