Atlassian has developed a patch to resolve a critical zero-day vulnerability that has an effect on all supported models of Confluence Server and Data Center. The vulnerability, which is monitored as CVE-2022-26134 has the highest CVSS severity rating of 10. Unauthenticated attackers could take advantage of the vulnerability remotely to accomplish code execution. Security researchers explained that taking advantage of the vulnerability is simple because there are no required user interactions or privileges.
Recently, cybersecurity agency Volexity noticed vulnerability exploitation in the course of reacting to a data breach. The researchers recreated the exploit for the vulnerability and provided the specifics of the vulnerability to Atlassian. Based on the report of Volexity concerning the incident that its researchers inspected, the attackers were probably from China, including China Chopper and BEHINDER, and took advantage of the vulnerability to execute malicious code and put in webshells. The attackers carried out reconnaissance, inspected local confluence databases and trashed user tables, changed web access logs to clear away the history of exploitation, and wrote extra webshells.
Volexity President Steven Adair tweeted that several threat groups and even individual threat actors got the exploit and were implementing it in varied ways. A number are rather sloppy while others are a tad more stealthy. The most common are writing JSP shells and loading class files into memory.
Proof-of-concept exploits were broadly unveiled and exploitation sped up. CEO Andrew Morris of GreyNoise stated that 23 IP addresses were making an attempt to exploit the vulnerability and the number had increased to 211 in a day.
It is crucial for the patch to be implemented right away on Confluence or Data Center servers to stop exploitation. Atlassian reveals that the vulnerability impacted the following product versions: 7.4.16, 7.4.0, 7.18.0, 7.17.3, 7.17.0, 7.16.3, 7.16.0, 7.15.1, 7.15.0, 7.14.2, 7.14.0, 7.13.6, and 7.13.0. Atlassian Cloud websites are not affected.
Atlassian has resolved the vulnerability in these versions: 7.18.1, 7.16.4, 7.17.4, 7.15.2, 7.13.7, 7.14.3, and 7.4.17. If it isn’t possible to patch promptly, it is vital to apply the mitigations proposed by Atlassian.