Unpatched Atlassian Confluence zero-day exploited, fix expected today (CVE-2022-26134)

A critical zero-day vulnerability (CVE-2022-26134) in Atlassian Confluence Data Center and Server is under active exploitation, the software maker has warned on Thursday.

There is currently no fix available – though they are expected to be released today (Friday) – and users of the popular enterprise collaboration solution are advised to either temporarily restrict access to Confluence Server and Data Center instances from the internet, or to disable them completely.

“If you are unable to take the above actions, implementing a WAF (Web Application Firewall) rule which blocks URLs containing ${ may reduce your risk,” Atlassian added.

About CVE-2022-26134

Atlassian has declined to share specific details about the nature of CVE-2022-26134 until a fix is ready – we only known that the vulnerability can be exploited by unauthenticated attackers to achieve remote code execution, and that it affects all supported versions of Confluence Server and Data Center and likely all unsupported ones.

The flaw was reported by Volexity on May 31, after they discovered it being exploited by an attacker over the Memorial Day weekend in the United States.

During an incident response investigation, they found two internet-facing web servers running Atlassian Confluence Server software compromised via a JSP variant of the China Chopper webshell. The attacker managed to achieve full control over the servers via additional interactive webshells, and to deploy an in-memory copy of the BEHINDER web server implant.

“BEHINDER provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike. As previously noted, this method of deployment has significant advantages by not writing files to disk. At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out,” threat researchers Andrew Case, Sean Koessel, Steven Adair, and Thomas Lancaster explained.

“Once BEHINDER was deployed, the attacker used the in-memory webshell to deploy two additional webshells to disk: CHINA CHOPPER and a custom file upload shell.”

The researchers have categorized CVE-2022-26134 as a command injection vulnerability and said “it looked similar to previous vulnerabilities that have also been exploited in order to gain remote code execution.”

Mitigation and exploitation detection

As noted previously, Atlassian advises users to restrict internet access to Confluence Server and Data Center or to disable them completely. This could lead to temporary problems for organizations’ remote workers, if the organizations don’t have an alternative means for them to connect to (other) company resources.

“Atlassian is working with the highest priority to issue a fix,” the company said in its security advisory. “We expect that security fixes for supported versions of Confluence will begin to be available for customer download within 24 hours (estimated time, by EOD June 3 PDT).”

They also noted that Confluence sites hosted by Atlassian are not vulnerable and there is currently no evidence of exploitation of Atlassian Cloud.

When the fix is ready, users are advised to implement it as soon as possible. Security teams should also check whether organizations’ Atlassian Confluence installations have been compromised, and to help with that Volexity released IOCs and hunting rules.

The researchers have said that they are not planning to release proof-of-concept code for the exploit.

UPDATE (June 4, 2022, 02:40 a.m. ET):

Atlassian has confirmed that the flaw is a OGNL injection vulnerability and has released fixed versions of Confluence Server and Data Center that contain a fix: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1.

Even though the company strongly recommends upgrading to a fixed version of Confluence as there are several other security fixes included in the fixed versions, those who can’t upgrade immediately can mitigate the CVE-2022-26134 issue by updating several files for the specific version of the product. Check the security advisory for more information on how to do that.

Volexity researchers have also released more information about the attacks they detected in the wild:

Don't miss