Atlassian has released security updates to address a critical zero-day vulnerability in Confluence Server and Data Center actively exploited in the wild to backdoor Internet-exposed servers.
The zero-day (CVE-2022-26134) affects all supported versions of Confluence Server and Data Center and allows unauthenticated attackers to gain remote code execution on unpatched servers.
Since it was disclosed as an actively exploited bug, the Cybersecurity and Infrastructure Security Agency (CISA) has also added it to its ‘Known Exploited Vulnerabilities Catalog‘ requiring federal agencies to block all internet traffic to Confluence servers on their networks.
The company has now released patches and advises all customers to upgrade their appliances to versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1, which contain a fix for this flaw.
“We strongly recommend upgrading to a fixed version of Confluence as there are several other security fixes included in the fixed versions of Confluence,” Atlassian said.
Admins who cannot immediately upgrade their Confluence installs can also use a temporary workaround to mitigate the CVE-2022-26134 security bug by updating some JAR files on their Confluence servers by following the detailed instructions available here.
Widely exploited in ongoing attacks
The security vulnerability was discovered by cybersecurity firm Volexity over the Memorial Day weekend during an incident response.
While analyzing the incident, Volexity discovered that the zero-day was used to install a BEHINDER JSP web shell allowing the threat actors to execute commands on the compromised server remotely.
They also deployed a China Chopper web shell and a simple file upload tool as backups to maintain access to the hacked server.
Volexity threat analysts added that they believe multiple threat actors from China are using CVE-2022-26134 exploits to hack into Internet-exposed and unpatched Confluence servers.
The company also released a list of IP addresses used in the attacks and some Yara rules to identify web shell activity on potentially breached Confluence servers.
“The targeted industries/verticals are quite widespread. This is a free-for-all where the exploitation seems coordinated,” Volexity President Steven Adair revealed today.
“It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways.
“Some are quite sloppy and others are a bit more stealth. Loading class files into memory and writing JSP shells are the most popular we have seen so far.”
A similar Atlassian Confluence remote code execution vulnerability was exploited in the wild in September 2021 to install cryptomining malware after a PoC exploit was publicly shared online.