Atlassian published a security advisory about a critical vulnerability that is currently under attack. According to the advisory, the vulnerability, tracked as CVE-2022-26134, is currently being exploited by cybercriminals. The vulnerability allows an unauthenticated attacker to execute remote code in Confluence Server and Data Center.
Critical severity
Atlassian announced that there are currently no fixed versions of Confluence Server and Data Center available. The company also stated that it has been made aware of the exploitation of the vulnerability. The company expects that the security fixes for supported versions of Confluence will be available within 24 hours. Since there is no fix available yet, Atlassian suggested users work with their security team to consider the best course of action. Options to consider include:
- Restricting access to Confluence Server and Data Center instances from the internet
- Disabling Confluence Server and Data Center instances
For the customers that can’t take the actions above, implementing a Web Application Firewall rule which blocks URLs containing ${ can also reduce the risk.
CISA also warned users and organizations about the vulnerability and added it to its Known Exploited Vulnerabilities Catalog. Federal agencies are required to block all internet traffic to Confluence servers immediately. Volexity, the company that warned Atlassian about the vulnerability said,
« Subsequent root cause analysis of the compromise showed that the attacker had used a zero-day exploit, now assigned CVE-2022-26134, that allowed unauthenticated remote code execution on the servers. When initially analyzing the exploit, Volexity noted it looked similar to previous vulnerabilities that have also been exploited in order to gain remote code execution. These types of vulnerabilities are dangerous, as attackers can execute commands and gain full control of a vulnerable system without credentials as long as web requests can be made to the Confluence Server system. It should also be noted that CVE-2022-26134 appears to be another command injection vulnerability. This type of vulnerability is severe and demands significant attention.
Volexity believes the attacker launched a single exploit attempt at each of the Confluence Server systems, which in turn loaded a malicious class file in memory. This allowed the attacker to effectively have a webshell they could interact with through subsequent requests. The benefit of such an attack allowed the attacker to not have to continuously re-exploit the server and to execute commands without writing a backdoor file to disk. »