Critical RCE Vulnerability Threatens 20,000 Atlassian Confluence Instances

Nearly 20,000 instances of Atlassian Confluence data center and servers are vulnerable to a critical remote code injection vulnerability, assigned CVE-2022-26134. First discovered over Memorial Day weekend, the vulnerability is easy to exploit and attempts to exploit are increasing daily.

Proof of concept for the exploitation of a critical remote code execution vulnerability residing in the Atlassian Confluence data center and servers was recently released and is now available in the wild.

The vulnerability, identified as CVE-2022-26134, is being actively exploited and could allow unauthenticated malicious actors to inject and execute arbitrary code and commands, create administrator accounts and possibly control the system target.

“These types of vulnerabilities are dangerous because attackers can execute commands and take full control of a vulnerable system without credentials as long as web requests can be made to the Confluence Server system,” wrote Volexity, which discovered the flaw in the last days of May. “This type of vulnerability is serious and requires special attention.”

David Lindner, CISO at Contrast Security, told Toolbox, “Atlassian products continue to be plagued by OGNL injections and based on WAF rules guidance and malicious class loading feedback, we believe there is This is another case of OGNL injection leading to an NCE. ”

Of particular concern is that this particular vulnerability is relatively easier to exploit and affects all supported versions of Confluence Server and Data Center after 1.3.0. The high prevalence of vulnerable systems and publicly available proof-of-concepts have greatly increased exploit attempts.

GreyNoise Intelligence used the term “mass exploitation” given the increase in just 24 hours between June 4 and June 5, 2022. As of 8 a.m. UTC (4 a.m. EST) on June 7, the number of addresses IP exploiting CVE-2022-26134 in Atlassian Data Center and Confluence servers affected 1017.

This is despite a patch made available by Atlassian on June 2, just two days after Volexity revealed the vulnerability to the Australian company. However, CVE-2022-26134 was known to some threat actors even before Atlassian issued the advisory, according to Cloudflare. “We identified requests for potentially malicious payloads as early as 2022-05-26 00:33 UTC.”

Learn more: Microsoft Word weaponized by Chinese hackers to exploit Windows zero-day flaw

The fixed versions are 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1.

Until organizations can fix the affected Confluence data centers and servers, Atlassian advised customers to restrict access or completely disconnect them from the internet. Customers can also update vulnerable systems with a .jar file available for download here as temporary mitigation until they are permanently fixed.

Lindner described how cloud-based enterprise solutions avoid the shortcomings of on-premises systems. “This is yet another example of why enterprises need to move away from on-premises technologies and invest in runtime application self-protection (RASP) technologies that can prevent these exploits before day zero, without need to fix anything or turn it off.”

“Fortunately, this does not affect cloud/SaaS versions of Confluence,” he says. “Unfortunately, those running Confluence on-premises are being instructed to either remove it from the internet, turn it off, or add an overly aggressive Web Application Firewall (WAF) rule until it There is a fix – being left high and dry and without the use of a major project collaboration tool that will affect their organization’s overall productivity.

A total of 19,707 Confluence server instances are potentially affected, according to Palo Alto Networks Unit 42, including 34.6% in the United States.

Location of Confluence systems vulnerable to CVE-2022-26134 | Source: Unit 42

Unit 42 also came across 1,251 Confluence Server instances running on end-of-life versions. “Assets running end-of-life software should never be accessible over the internet. If an asset cannot be updated to secure software releases, it should be isolated or completely retired.

It is unclear where the exploit attempts against vulnerable Atlassian installations are coming from. However, the fact that the attackers are using Behinder, a powerful Chinese web shell, makes Chinese threat actors prime suspects.

Let us know if you enjoyed reading this news on LinkedIn, TwitterWhere Facebook. We would like to hear from you!


Comments are closed.