3rd Party Risk Management , Access Management , Application Security
Atlassian Issues Patch for Critical Confluence Zero-Day
All Supported Versions of Confluence Server and Data Center AffectedAtlassian has issued a patch for its Confluence workspace collaboration tool, which is being targeted in the wild with a zero-day vulnerability that gives attackers unauthenticated remote code execution privileges. The vulnerability, tracked as CVE-2022-26134, has a CVSS score of 10 out of 10 for criticality.
See Also: Gartner Guide for Digital Forensics and Incident Response
"All supported versions of Confluence Server and Data Center are affected," Atlassian reports. And the vulnerability exists in all versions after 1.3.0, according to its updated security advisory.
Researchers at Volexity, the cybersecurity firm that reported the zero-day to Atlassian, in their security blog recommended that Confluence's users "immediately" apply the patches when made available, "as this vulnerability is dangerous and trivially exploited."
The U.S. Cybersecurity and Infrastructure Security Agency, which has already added CVE-2022-26134 to its Known Exploited Vulnerabilities Catalog, has asked all federal agencies to immediately block all internet traffic to and from Atlassian's Confluence Server and Data Center products that are in their respective agencies' use. It has also directed the federal agencies to "either apply the software update to all affected instances or remove the affected products by 5 pm ET on Monday, June 6, 2022."
Versions Affected and Fixed
The vulnerability affects all supported versions of Confluence Server and Data Center products of Atlassian. But on an issue tracker page, Atlassian provides detailed information about these versions and the corresponding fixes made available:
"The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1."
So, the fixed versions are 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1, which need to be immediately updated to, according to Atlassian's advisory.
Atlassian also says that the vulnerability only affects the above products and their respective versions and that the Atlassian Cloud sites are still secured. "If your Confluence site is accessed via an atlassian[.]net domain, it is hosted by Atlassian and is not vulnerable. Our investigations have not found any evidence of exploitation of Atlassian Cloud."
If users are unable to upgrade Confluence immediately, Atlassian has provided temporary version-specific workarounds for CVE-2022-26134 that can be found in its updated security advisory.
More on the Vulnerability
In its initial security advisory, Atlassian did not disclose any further details about the vulnerability apart from the fact that it is an RCE bug, adding that "further details about the vulnerability are being withheld until a fix is available." Atlassian has now published further details on CVE-2022-26134 via the issue tracker page.
Atlassian confirms it to be an Object-Graph Navigation Language injection vulnerability that allows an unauthenticated attacker to execute arbitrary code on an affected version of Confluence Server or Data Center instance.
OGNL is an open-source Expression Language for Java objects. It enables the evaluation of EL expressions in Apache Struts, which is the commonly used development framework for Java-based web applications in enterprise environments, according to Contrast Security, an application security provider.
The page says, "OGNL is infamous for related vulnerabilities found in the Struts 2 framework that relies on it. Because OGNL has the ability to create or change executable code, it is also capable of introducing critical security flaws to any framework that uses it. For example, it is possible for the attacker to inject OGNL expressions (which can execute arbitrary malicious Java code), when an OGNL expression injection vulnerability is present."
Also, it is a critically rated vulnerability because it has a very low-level attack complexity with no privileges or user interaction required for its exploitation, says Mark Adams, an engineering manager for product security at Atlassian, in the issue tracker page of the vulnerability.
New Observations
Researchers at Volexity have found several new observations since the time it published its initial security blog on Thursday.
Although they do not share the proof-of-concept code for the vulnerability, the researchers have published additional details on the post-exploitation activity. This includes the commands executed by the attacker on the victim's system that the researchers analyzed and further details on the malicious implants like BEHINDER, the file upload web shell, and the China Chopper webshell.
Regarding the commands executed, researchers at Veloxity observed the following activity from the attacker on the victim's system. The attacker:
- Ran reconnaissance commands for checking the operating system version and examined the contents of
"/etc/passwd"
and"/etc/shadow"
; - Checked local confluence database and dumped user tables from Confluence;
- Altered web access logs in an attempt to hamper forensic investigation and remove evidence of exploitation;
- Wrote additional webshells to disk, but not all of these could be recovered, the researchers say.
Steven Adair, president of Volexity, also added to the list of new observations in a long tweet thread. His first observation is related to the targeted sectors, which he says are not specific but "widespread" and yet seem "coordinated."
It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth. Loading class files into memory and writing JSP shells are the most popular we have seen so far.
— Steven Adair (@stevenadair) June 3, 2022
Adair says, "It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways." But some of them have been reckless while others have been a bit more "stealthy," he adds.
Adair says that "loading class files into memory and writing JSP shells are the most popular" methods, and the workaround for this is monitoring for JSP files other than those listed in the tweet below:
Everyone's setup may be different but Confluence largely only has these JSP files:
— Steven Adair (@stevenadair) June 3, 2022
./admin/findspaceattachments.jsp
./admin/cluster/hashclustername.jsp
./admin/default.jsp
./classpath.jsp
./errors/notfound.jsp
./500page.jsp
./errors.jsp
./noop.jsp
Look for files not listed.
"Everyone's setup may be different but Confluence largely only has these JSP files," which makes it easy to monitor anomalies, according to Adair. Other than this, he cites the findings of Sean Koessel, co-founder of Volexity, in multiple cases, suggesting to "look for ".java"
files in the ./confluence/org/apache/jsp/
directory that should not be there. "You may find a webshell or backdoor here as well from a .jsp file that was deleted already," Adair says.