CVE-2022-26134 – Confluence Zero-Day Vulnerability

THE THREAT

On June 2nd, 2022, Atlassian disclosed a critical vulnerability impacting the Confluence collaboration tool, tracked as CVE-2022-26134; active exploitation of the vulnerability has been confirmed. CVE-2022-26134 is an unauthenticated Remote Code Execution (RCE) vulnerability that impacts all supported versions of Confluence Server and Data Center. Exploitation of this vulnerability would allow an unauthenticated and remote actor to execute code on vulnerable devices, potentially leading to the deployment of malware or the exfiltration of sensitive data.

At this time, security patches to address CVE-2022-26134 are not available. Atlassian has stated that patches will be released by end-of-day June 3rd, 2022. The current recommendations for organizations employing Confluence Server or Data Center are to restrict access from the internet or disable the instances; it should be noted that both recommendations may cause disruptions to standard business procedures.

What we’re doing about it

• IP addresses associated with real-world attacks have been blocked via the eSentire Global Deny List
• The eSentire Threat Response Unit (TRU) has performed threat hunts across the eSentire client base for signs of exploitation
• eSentire MDR for Endpoint has detections in place to identify known post compromise activity such as the deployment of webshells including BEHINDER and China Chopper
• eSentire MDR for Network has detections in place to identify the China Chopper webshell
• eSentire Managed Vulnerability Service (MVS) will add plugins for this vulnerability when they become available
• eSentire security teams continue to track this vulnerability for additional details and detection opportunities

What you should do about it

• Apply security patches from Atlassian once they are released
• Until security patches are released organizations are recommended to apply one of the following mitigations after performing a business impact review:
  • Restrict Internet access to Confluence Server and Data Center instances OR
  • Disable Confluence Servers and Data Center instances
• Additionally, temporary workarounds are available for Confluence versions: 7.0.0 – 7.18.0. Please follow the walkthrough available on the Atlassian advisory page

Additional information

Technical details relating to CVE-2022-26134 are currently limited as Atlassian is not releasing additional information until after security patches are made available. While not yet confirmed, it is likely that all versions of Confluence Server and Data Center are impacted, including out of support versions. The vulnerability does not impact Confluence Cloud.

CVE-2022-26134 was initially discovered by Volexity. According to the company, attacks exploiting the vulnerability were first identified on the Memorial Day weekend (May 28th-30th). Attacks observed by Volexity resulted in the deployment of the open-source webshell BEHINDER, a file upload webshell, and the China Chopper webshell. According to Volexity, multiple threat actor groups are believed to be exploiting the vulnerability in real-world attacks.

References:

[1] https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
[2] https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
[3] https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/