CISA Issues Warning After Critical Zero Day Hits Atlassian’s Confluence

This audio is generated automatically. Please let us know if you have any comments.

Diving brief:

  • The Cybersecurity and Infrastructure Security Agency (CISA) is warning enterprises of a critical zero-day vulnerability in Atlassian’s Confluence server and data center that is subject to an active exploit and could allow an outside attacker to take control of a system.
  • CISA added the vulnerability, CVE-2022-26134, to its catalog of known exploited vulnerabilities on Thursday. Federal agencies should immediately disconnect all Internet traffic to and from Confluence Server and Data Center products, CISA said.
  • “As far as severity goes, it’s about as bad as it gets,” said Steven Adair, president of Volexity, the research company that discovered the vulnerability and alerted Atlassian. “This vulnerability can be exploited remotely by anyone who can contact Confluence systems.”

Overview of the dive:

Volexity discovered the issue over Memorial Day weekend when it discovered that Java Server Page (JSP) webshells were being written to disk at a customer with two internet-connected web servers running Atlassian Confluence Server, according to a Volexity blog post.

The JSP file, a copy of the JSP variant of the China Chopper webshell, was written in a publicly accessible web directory, according to Volexity.

After processing the acquired memory samples, the researchers identified bash shells launched by the Confluence web application process. After exploiting Confluence Server, the attacker deployed an in-memory copy of the Behinder implant, the source code of which is available on GitHub. The implant offers attackers some serious capabilities, including support for interaction with Meterpreter and Cobalt Strike, according to Volexity.

Atlassian has stated that all supported versions of Confluence server and data center are affected and plans to make security patches available by end of day Friday.

Customers should consider restricting access or disabling Confluence Server and Data Center instances, according to Atlassian.

Satnam Narang, senior research engineer at Tenable, said the vulnerability is a reminder that attackers have previously targeted Atlassian products like Confluence.

At the end of last summer, American Cyber ​​Command warned all organizations to immediately patch Confluence. In late August, Atlassian warned of a critical Confluence vulnerability listed as CVE-2021-26084, or the Confluence Server Webwork Object-Graphics Navigation Language Injection Vulnerability.

Comments are closed.