Patch released for exploited Atlassian zero-day vulnerability
Atlassian released a patch Friday for a critical vulnerability affecting Confluence Data Center and Server products.
The company updated a recently released security advisory with information and instructions on how users can address CVE-2022-26134. A spokesperson for the company told The Record that they have “contacted all potentially vulnerable customers directly to notify them of the fix,” adding that there is no evidence that Atlassian Cloud sites have been impacted.
The fixes released address versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1.
For those unable to upgrade Confluence immediately, Atlassian provided several temporary workarounds for specific versions of their product.
Censys researchers said they found around 9,325 services across 8,347 distinct hosts running some version of Atlassian Confluence.
"Of those services, most Confluence versions we identified were v7.13.0 (1,137 hosts), v7.13.2 (690 hosts), and v7.13.5 (429 hosts); and if the advisory is accurate, all of these versions are susceptible to this new attack," said Mark Ellzey, senior security researcher at Censys.
The Censys dashboard shows most instances are in the US, China and Germany, with each having more than 1,400 vulnerable hosts.
Researchers with Volexity, the security company that first notified Atlassian of the issue, said on Twitter there are indications that state-backed actors are already looking to exploit the bug.
Volexity discovered the vulnerability during an incident response investigation over Memorial Day weekend and researcher Steven Adair explained they have since “learned of multiple other compromised organizations beyond our initial work and visibility.”
“Since we posted about the Atlassian Confluence vulnerability yesterday (CVE-2022-26134), at Volexity we have several new observations. The first is that the targeted industries/verticals are quite widespread. This is a free-for-all where the exploitation seems coordinated,” Adair said.
“It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth. Loading class files into memory and writing JSP shells are the most popular we have seen so far.”
Also @5ck recently noted in multiple cases to look for ".java" files in the ./confluence/org/apache/jsp/ directory that should not be there. You may find a webshell or backdoor here as well from a .jsp file that was deleted already.— Steven Adair (@stevenadair) June 3, 2022
BluBracket’s Casey Bisson told The Record that Atlassian tools are used by more than 200,000 enterprises.
Other experts, like Vulcan Cyber’s Mike Parkin, noted that the speed with which the Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its list of known exploited vulnerabilities is “indicative of the expected risk.”
“Atlassian’s Confluence Server and Confluence Datacenter are widely used across multiple industries, so an unauthenticated remote code execution flaw is problematic,” Parkin said. “Keeping instances isolated from the open internet can mitigate the vulnerability. Fortunately, their widely used Cloud platform is not known to be affected.”
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.