Atlassian warns that Confluence zero-day is being exploited by hackers

Update (2:01 pm EST): Atlassian has released a patch for the bug and said it has notified all potentially vulnerable customers of the fix.

Atlassian has warned its customers that hackers are exploiting a zero-day vulnerability in all supported versions of Confluence Server and Data Center.

A spokesperson for the Australia-based software firm told The Record that the bug – tagged as CVE-2022-26134 – does not yet have a patch. 

“We have contacted all potentially vulnerable customers directly to alert them of this vulnerability. Atlassian Engineering teams are actively working on a patch, and we will update our security advisory with an estimate for completion as soon as possible,” the spokesperson said. 

Atlassian was tight-lipped about the specifics of the critical unauthenticated remote code execution vulnerability in an effort to protect users while a patch is created. In its advisory on the issue, the company said a security fix will be “available for customer download within 24 hours (estimated time, by EOD June 3 PDT).”

The company suggested users restrict access to Confluence Server and Data Center instances from the internet or disable instances. For those unable to take these measures, Atlassian suggested implementing a Web Application Firewall rule which blocks URLs containing ${. 

Atlassian said the issue was discovered by security firm Volexity, which released its own blog about the vulnerability. 

We found a remote, pre-auth 0day being exploited in Confluence Server in the wild. In the blog post, we break down our forensic analysis steps and provide the IOCs that we currently can. If you have this product then you need to deal with this immediately as no patch is available https://t.co/uuofF7mvyb

— Andrew Case (@attrc) June 2, 2022

Volexity security researchers Andrew Case, Sean Koessel, Steven Adair and Thomas Lancaster said they conducted an incident response investigation over Memorial Day weekend that involved suspicious activity on two internet-facing web servers belonging to one of its customers that were running Atlassian Confluence Server software.

“After a thorough review of the collected data, Volexity was able to determine the server compromise stemmed from an attacker launching an exploit to achieve remote code execution. Volexity was subsequently able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server,” the company explained. 

They contacted Atlassian on May 31, and noted that it resembles “previous vulnerabilities that have also been exploited in order to gain remote code execution.”

Volexity said these brands of vulnerabilities are particularly dangerous because they allow attackers to execute commands and “gain full control of a vulnerable system without credentials as long as web requests can be made to the Confluence Server system.”

We believe this exploit is in the hands of multiple CN threat actors and since publishing our blog have learned of multiple other compromised organizations beyond our initial work and visibility. This is become more widespread.

— Steven Adair (@stevenadair) June 2, 2022

The attacker discovered by Volexity exploited the vulnerability and deployed a copy of BEHINDER, a popular web server implant that they said “provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike.”

The Cybersecurity and Infrastructure Security Agency (CISA) released its own warning about the bug and immediately added it to its catalog of known exploited vulnerabilities.