Atlassian, an Australian software company, has rushed to patch a severe unauthenticated remote code execution vulnerability that has affected all supported versions of its Confluence Server and Data Center. Volexity, a cyber security firm based in Washington, DC, identified the flaw early last week.
The vulnerability, officially identified as CVE-2022-26134, may allow a bad actor to remotely install malware or otherwise manipulate the compromised device without authentication. This is the second significant Confluence vulnerability exploited in less than a year.
The latest vulnerability was discovered by Volexity while analyzing suspicious activity on two Internet-facing web servers belonging to a customer who utilized Atlassian Confluence Server software. Volexity discovered unusual activities on the hosts, such as JSP web shells writing to disc.
According to the Volexity investigation, the server compromise was caused by an attacker using an exploit to get remote code execution. The cybersecurity firm was then able to recreate the exploit and identify a zero-day vulnerability that affected fully updated versions of Confluence Server.
More than 75,000 clients worldwide utilize Confluence’s popular web-based business collaboration software. The software is “protected by privacy protections and data encryption, and meets industry-verified compliance requirements,” according to Atlassian.
The CVE-2022-26134 issue, on the other hand, affects all supported versions of Confluence Server and Data Center. Fixed Confluence versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1 are unaffected, as are Confluence sites accessed via an atlassian.net domain.
According to a blog post outlining Volexity’s analysis, “Volexity believes the attacker launched a single exploit attempt at each of the Confluence Server computers, which in turn loaded a malicious class file in memory.”
“This effectively gave the attacker a webshell with which to communicate via subsequent queries.” The advantage of such an attack was that the attacker did not have to constantly re-exploit the server and could execute commands without having to write a backdoor file to disc.”
Since June 3, California-based cybersecurity firm Imperva Threat Research has recorded over 680,000 attack attempts, with attack sources originating from roughly 4,000 unique IP addresses (the largest percentage of targets are located in Chile). According to Impervia, payload analysis reveals that the majority of assaults are scanning attempts to discover vulnerable servers. They’ve also seen attempts to deploy a malicious script and steal critical information.
According to Impervia, attackers use two primary scanning methods: invoking the Java runtime exec function to run the command line program nslookup, which calls an external server (owned by the attacker), or invoking the Confluence GeneralUtil setCookie function to set a unique cookie name and value.
The cybersecurity firm further warns that the destructive script is deploying in one of two ways: persistent gains via the infected server’s crontab, or downloading an executable file, running it, and wiping the instance from the file’s system. The purpose of the malicious file is to infect the victim server with the Mirai botnet.
According to the Australian Cyber Security Centre (ACSC), bad actors successfully exploited the vulnerability before it was made public, although there has been no successful exploitation within Australia.
Atlassian has issued a fix for Confluence versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1. If clients are unable to upgrade quickly, they have a temporary workaround.