Zero-day Exploited to Target Atlassian Confluence
The Severity of the Vulnerability Was Determined as Critical.
A zero-day vulnerability is a newly discovered software security flaw that has not yet been patched by the developers and, as a result, can be exploited. The term “zero-day” is an imaginative time, as this type of cyberattack happens in a very short timeframe from the awareness of the security flaw.
What Makes the CVE-2022-26134 Important?
There is currently no patch available for the newly discovered Atlassian Confluence zero-day vulnerability that is being tracked as CVE-2022-26134.
This vulnerability is being actively exploited by hackers in order to install web shells.
Atlassian has been made aware of the current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. Further details about the vulnerability are being withheld until a fix is available.
We expect that security fixes for supported versions of Confluence will begin to be available for customer download within 24 hours (estimated time, by EOD June 3 PDT).
Confluence Server and Data Center are both vulnerable to the significant unauthenticated remote code execution flaw identified as CVE-2022-26134, which was disclosed by Atlassian in a security warning.
According to Atlassian, the vulnerability was verified in Confluence Server 7.18.0, and they think that Confluence Server and Data Center 7.4.0 and above are also susceptible to the issue.
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
BleepingComputer reports that an alert has been issued in order to warn users that malicious actors are actively attacking Confluence Server 7.18.0.
Because there are no updates available, Atlassian is advising its customers to make their servers unreachable by one of the following means:
- Isolating their Confluence Server and Data Center instances from the internet.
- Turning down their Confluence Server and Data Center instances entirely.
There is no alternative approach that can be used to protect against this issue.
Organizations that are protected by Atlassian Cloud, which can be accessed via the atlassian.net website, are not vulnerable to this flaw.
Atlassian is hard at work developing a fix, and the company has promised to update its advisory with more details as soon as they are ready.
The vulnerability was discovered by Volexity, a security company that reported the flaw to the company.
An initial review of one of the Confluence Server systems quickly identified that a JSP file had been written into a publicly accessible web directory. The file was a well-known copy of the JSP variant of the China Chopper webshell. However, a review of the web logs showed that the file had barely been accessed. The webshell appears to have been written as a means of secondary access.
The Cybersecurity and Infrastructure Security Agency (CISA) has put this zero-day to its “Known Exploited Vulnerabilities Catalog” and is mandating that all internet communication to Confluence servers be blocked by government entities by tomorrow, June 3rd.