On 2 June, 2022 a critical vulnerability was identified in Atlassian Confluence (CVE-2022-26134). The vulnerability in question relates to active exploitation of unauthenticated remote code execution in Confluence Data Center and Server; meaning that the vulnerability could lead to code being executed remotely.
Atlassian has noted that all versions have been affected by this vulnerability. For this vulnerability of critical severity and a high-priority risk, a list of fixes is now available.
A run-down of CVE-2022-26134
The vulnerability pertains to unauthenticated and unauthorized remote code execution, which could lead to a full compromise of a system and networks behind it. Thus, an attacker could exploit this vulnerability without credentials as long as web requests can be made to the vulnerable Confluence Server system.
[pictured above: Example of CVE-2022-26134]
What can you do?
Review the list of fixes available regarding Confluence Server & Data center.
Atlassian recommends that users upgrade to the latest Long Term Support release.
For further instructions, visit the security advisory here.
Please be advised that a PoC for this vulnerability has been made available to the public and could potentially act as a means for exploitation.
It has also been discovered that by means of this PoC a malicious actor can gain access to back-up files, containing logs and other sensitive information.
In turn, this could enable these actors to gain more insight into your attack surface.
What has Cybersprint done?
The research and customer success teams have joined efforts and have informed all customers of this vulnerability. Prospective customers that are in the process of running a Proof of Value or have recently requested a Demo or Deep-Dive have also been informed, respectively.
[pictured below: Visualized overview of a customer's entire attack surface]
We were able to provide (prospective) customers with an ‘Insight’ to all their web assets that are potentially affected by the vulnerability by indexing all assets that contained Atlassian Confluence as a detected technology.
This saved our customers an immense amount of time in determining which of their assets contained the technology and the security posture of that asset as a potential entry point for attackers to leverage.
Using our versatile interface customers were able to immediately see how many – and which – web assets contain Confluence as a detected technology.
Further Reading
We will continue to update this threat report as new developments are verified. In the meantime, you can read more on:
- https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
- https://blog.cloudflare.com/cloudflare-customers-are-protected-from-the-atlassian-confluence-cve-2022-26134/
Threat Insights
In addition, Volexity has released: (1) a list of IP addresses associated with the ongoing attacks, (2) Yara rules to help identify malicious activity relating to this exploit, and (3) details on specific IoCs (Indicators of Compromise) relating to this exploit.- You can find the list of addresses here: https://github.com/volexity/threat-intel/blob/main/2022/2022-06-02%20Active%20Exploitation%20Of%20Confluence%200-day/indicators/indicators.csv
- You can find the Yara rules here: https://github.com/volexity/threat-intel/blob/main/2022/2022-06-02%20Active%20Exploitation%20Of%20Confluence%200-day/indicators/yara.yar
- You can find a detailed analysis and overview of related IoCs here:
https://volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
If you are concerned or unsure whether you are affected by this vulnerability, you can reach out to us via support@cybersprint.com
We will happily assist you in mitigating the potential security risks caused by this vulnerability.
