Jun 03, 2022 20:10:00

Confluence's zero-day vulnerability has already been attacked by China, Atlassian recommends blocking access from the net until patching

A vulnerability 'CVE-2022-26134' was discovered in Atlassian's business workspace tool '

Confluence ' that could allow arbitrary code execution remotely. Affects all supported versions of Confluence and has a severity of 'Critical'. Also, no patch is provided at the time of writing the article.

Confluence Security Advisory 2022-06-02 | Confluence Data Center and Server 7.18 | Atlassian Documentation
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

Zero-Day Exploitation of Atlassian Confluence | Volexity
https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/

Atlassian: Unpatched critical Confluence flaw under attack • The Register
https://www.theregister.com/2022/06/03/atlassian_confluence_critical_flaw_attacked/

This vulnerability was discovered when cybersecurity company Volexity was investigating an incident that occurred on a customer's web server. The Volexity investigation was conducted after suspicious behavior, such as a JSP web shell being written to disk, was detected on a host running Atlassian Confluence Server.

Volexity collects system memory and key files from the Confluence Server system, conducts a thorough review, and identifies a server breach caused by an attacker launching an exploit and executing code remotely. Reproduced the exploit and identified a zero-day vulnerability affecting the latest version of Confluence Server.

According to the investigation, the attacker checks the system version of the OS in the damaged system to check the contents of '/ etc / passwd' and '/ etc / shadow', and also searches the local Confluence database to search the user table. backup. Then, after modifying the web access log to erase the evidence of misuse, I wrote an additional web shell to disk.

Volexity discloses the IP address used by the attacker. He also points out that the vulnerability is being exploited by multiple threat actors, most likely from China.

Atlassian hasn't yet prepared a patch for this vulnerability, and the immediate workarounds include restricting access to Confluence Server and Confluence Data Center instances from the Internet, and disabling Confluence Server and Confluence Data Center instances.