Atlassian Releases Patch for Maximum Severity Widely Exploited Vulnerability in Confluence Server and Data Center

Atlassian has released a patch to fix a critical zero-day vulnerability that affects all supported versions of Confluence Server and Data Center. The vulnerability – tracked as CVE-2022-26134 – has a maximum CVSS severity score of 10 out of 10 and can be exploited remotely by unauthenticated attackers to achieve code execution. According to security researchers, exploiting the flaw is trivial, with no user interaction or privileges required.

Last week, cybersecurity firm Volexity detected exploitation of the vulnerability while responding to a security breach. The researchers were able to reproduce the exploit for the flaw and shared details of the vulnerability with Atlassian last week. Volexity reports that in the incident its researchers investigated, the attackers were most likely based in China and exploited the vulnerability to run malicious code and installed webshells such as BEHINDER and China Chopper. The attackers conducted reconnaissance, checked local confluence databases and dumped user tables, altered web access logs to remove traces of exploitation, and wrote additional webshells.

On Friday, Volexity President, Steven Adair, said in a Tweet, “It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth. Loading class files into memory and writing JSP shells are the most popular we have seen so far.”

Over the weekend, proof-of-concept exploits were widely released and exploitation accelerated. On Thursday, GreyNoise CEO, Andrew Morris said 23 IP addresses were attempting to exploit the flaw and by Friday the number had grown to 211.

It is essential for the patch to be applied immediately on Confluence or Data Center servers to prevent exploitation. Atlassian says the following product versions are affected:  7.4.0, 7.13.0, 7.14.0, 7.15.0, 7.16.0, 7.15.1, 7.14.2, 7.17.0, 7.4.16, 7.18.0, 7.16.3, 7.13.6, and 7.17.3. Atlassian Cloud sites are unaffected.

Atlassian has fixed the vulnerability in versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1. If it is not possible to patch immediately, it is essential to implement the mitigations suggested by Atlassian.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.