Patch released for exploited Atlassian zero-day vulnerability

Atlassian released a patch Friday for a critical vulnerability affecting Confluence Data Center and Server products.

The company updated a recently released security advisory with information and instructions on how users can address CVE-2022-26134. A spokesperson for the company told The Record that they have “contacted all potentially vulnerable customers directly to notify them of the fix,” adding that there is no evidence that Atlassian Cloud sites have been impacted.

The fixes released address versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1.

For those unable to upgrade Confluence immediately, Atlassian provided several temporary workarounds for specific versions of their product.

Censys researchers said they found around 9,325 services across 8,347 distinct hosts running some version of Atlassian Confluence.

"Of those services, most Confluence versions we identified were v7.13.0 (1,137 hosts), v7.13.2 (690 hosts), and v7.13.5 (429 hosts); and if the advisory is accurate, all of these versions are susceptible to this new attack," said Mark Ellzey, senior security researcher at Censys.

The Censys dashboard shows most instances are in the US, China and Germany, with each having more than 1,400 vulnerable hosts.


A Censys map of where most vulnerable instances are located. (Censys)

Researchers with Volexity, the security company that first notified Atlassian of the issue, said on Twitter there are indications that state-backed actors are already looking to exploit the bug. 

Volexity discovered the vulnerability during an incident response investigation over Memorial Day weekend and researcher Steven Adair explained they have since “learned of multiple other compromised organizations beyond our initial work and visibility.” 

“Since we posted about the Atlassian Confluence vulnerability yesterday (CVE-2022-26134), at Volexity we have several new observations. The first is that the targeted industries/verticals are quite widespread. This is a free-for-all where the exploitation seems coordinated,” Adair said

“It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth. Loading class files into memory and writing JSP shells are the most popular we have seen so far.”

BluBracket’s Casey Bisson told The Record that Atlassian tools are used by more than 200,000 enterprises.

Other experts, like Vulcan Cyber’s Mike Parkin, noted that the speed with which the Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its list of known exploited vulnerabilities is “indicative of the expected risk.”

“Atlassian’s Confluence Server and Confluence Datacenter are widely used across multiple industries, so an unauthenticated remote code execution flaw is problematic,” Parkin said. “Keeping instances isolated from the open internet can mitigate the vulnerability. Fortunately, their widely used Cloud platform is not known to be affected.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.