Atlassian Announces Fix for Maximum Severity Largely Exploited Vulnerability in Confluence Server and Data Center

Atlassian has developed a patch to resolve a critical zero-day vulnerability that has an effect on all supported models of Confluence Server and Data Center. The vulnerability, which is monitored as CVE-2022-26134 has the highest CVSS severity rating of 10. Unauthenticated attackers could take advantage of the vulnerability remotely to accomplish code execution. Security researchers explained that taking advantage of the vulnerability is simple because there are no required user interactions or privileges.

Recently, cybersecurity agency Volexity noticed vulnerability exploitation in the course of reacting to a data breach. The researchers recreated the exploit for the vulnerability and provided the specifics of the vulnerability to Atlassian. Based on the report of Volexity concerning the incident that its researchers inspected, the attackers were probably from China, including China Chopper and BEHINDER, and took advantage of the vulnerability to execute malicious code and put in webshells. The attackers carried out reconnaissance, inspected local confluence databases and trashed user tables, changed web access logs to clear away the history of exploitation, and wrote extra webshells.

Volexity President Steven Adair tweeted that several threat groups and even individual threat actors got the exploit and were implementing it in varied ways. A number are rather sloppy while others are a tad more stealthy. The most common are writing JSP shells and loading class files into memory.

Proof-of-concept exploits were broadly unveiled and exploitation sped up. CEO Andrew Morris of GreyNoise stated that 23 IP addresses were making an attempt to exploit the vulnerability and the number had increased to 211 in a day.

It is crucial for the patch to be implemented right away on Confluence or Data Center servers to stop exploitation. Atlassian reveals that the vulnerability impacted the following product versions: 7.4.16, 7.4.0, 7.18.0, 7.17.3, 7.17.0, 7.16.3, 7.16.0, 7.15.1, 7.15.0, 7.14.2, 7.14.0, 7.13.6, and 7.13.0. Atlassian Cloud websites are not affected.

Atlassian has resolved the vulnerability in these versions: 7.18.1, 7.16.4, 7.17.4, 7.15.2, 7.13.7, 7.14.3, and 7.4.17. If it isn’t possible to patch promptly, it is vital to apply the mitigations proposed by Atlassian.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.