Software company Atlassian has told Confluence users to either restrict the tool’s internet access or to cut it off entirely after it found a high-severity flaw that’s being exploited in the wild.
The collaboration tool has for multiple years been carrying a bug that allows threat actors to mount unauthenticated remote code execution attacks against target endpoints, the company confirmed.
As reported by The Register, Atlassian first reported finding the flaw on June 2. As the patch is still in the works, and due to the fact that the bug is being actively exploited, the firm has urged customers to take alternative action.
A decade of risk
At first, the company believed only the latest version 7.18 of Confluence Server was vulnerable, as there was evidence of this version being attacked. However, further investigation found that all versions (from 1.3.5 onwards) were vulnerable. Version 1.3.5 was released almost a decade ago, in 2013.
The patch is still under development, with the company promising it will be released by the end of the day (June 03). While that surely is good news, not all companies might make it in time to patch, given that it’s Friday.
Those who want to sleep peacefully over the weekend have a couple of options to choose from: either Restrict Confluence Server and Data Center instances’ access to the internet, or disable Confluence Server and Data Center instances entirely. Atlassian also said companies could implement a Web Application Firewall (WAF) rule to block all URLs containing ${, as that "may reduce your risk”.
The flaw, being tracked as CVE-2022-26134, was first discovered by security firm Volexity. The firm says attackers could insert a Jave Server Page webshell into a publicly accessible web directory on a Confluence server.
"The file was a well-known copy of the JSP variant of the China Chopper webshell," Volexity wrote. "However, a review of the web logs showed that the file had barely been accessed. The webshell appears to have been written as a means of secondary access."
Confluence’s web application process was also found to have been launching bash shells, something that “stood out”, Volexity said, as it spawned a bash process which triggered a Python process, spawning a bash shell.
"Volexity believes the attacker launched a single exploit attempt…which in turn loaded a malicious class file in memory. This allowed the attacker to effectively have a webshell they could interact with through subsequent requests. The benefit of such an attack allowed the attacker to not have to continuously re-exploit the server and to execute commands without writing a backdoor file to disk."
Via The Register
