Atlassian has announced a patch to correct a critical zero-day vulnerability that impacts all supported versions of Confluence Server and Data Center. The vulnerability, which is tracked as CVE-2022-26134 has a maximum CVSS severity score of 10. Unauthenticated attackers can exploit the vulnerability remotely to do code execution. Security researchers stated that exploiting the vulnerability is easy as there is no need for user interaction or privileges.
A while back, cybersecurity company Volexity discovered vulnerability exploitation when responding to a security breach. The researchers reproduced the exploit for the vulnerability and gave the particulars of the vulnerability to Atlassian. According to the report of Volexity about the incident that its researchers looked into, the attackers were most likely located in China and used the vulnerability to run malicious code and set up webshells like BEHINDER and China Chopper. The attackers performed reconnaissance, examined local confluence databases and got rid of user tables, modified web access logs to take out footprints of exploitation, and wrote more webshells.
Volexity President Steven Adair mentioned in a Tweet that multiple threat groups as well as individual threat actors possess the exploit and were utilizing it in various ways. A few are pretty sloppy and others are somewhat more stealthy. The most popular are loading class files into memory and writing JSP shells.
Proof-of-concept exploits were extensively published and exploitation multiplied. CEO Andrew Morris of GreyNoise
said 23 IP addresses were trying to exploit the vulnerability and the number had grown to 211 in just one day.
It is important for the patch to be used right away on Confluence or Data Center servers to avoid exploitation. Atlassian states that the vulnerability affected the following product versions: 7.4.0, 7.4.16, 7.18.0, 7.17.0, 7.17.3, 7.16.0, 7.16.3, 7.15.0, 7.15.1, 7.14.2, 7.14.0, 7.13.0, and 7.13.6. Atlassian Cloud sites are not impacted.
Atlassian has fixed the vulnerability in these versions: 7.18.1, 7.17.4, 7.16.4, 7.15.2, 7.14.3, 7.13.7, and 7.4.17. If it is not possible to patch promptly, it is important to carry out the mitigations recommended by Atlassian.