Atlassian

A critical zero-day vulnerability (CVE-2022-26134) in Atlassian Confluence Data Center and Server is under active exploitation.

As noted previously, Atlassian advises users to restrict internet access to Confluence Server and Data Center or to disable them completely. Security teams should also check whether organizations’ Atlassian Confluence installations have been compromised, and to help with that Volexity released IOCs and hunting rules. During an incident response investigation, they found two internet-facing web servers running Atlassian Confluence Server software compromised via a JSP variant of the China Chopper webshell.

A spokesperson for the Australia-based software firm told The Record that the bug – tagged as CVE-2022-26134 – does not yet have a patch. “We have contacted all ...

In its advisory on the issue, the company said a security fix will be “available for customer download within 24 hours (estimated time, by EOD June 3 PDT).” Volexity was subsequently able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server,” the company explained. “We have contacted all potentially vulnerable customers directly to alert them of this vulnerability.

A critical remote code execution vulnerability found in popular enterprise collaboration software Atlassian Confluence is under active exploitation.

Our support team is working directly with these and other customers to ensure a security patch is implemented." "As this vulnerability only impacts customers using on-premises versions of Confluence, our visibility in regards to the scope of impact is limited to what customers share with us. He added that since publishing the blog post, Volexity learned of additional compromised organizations and that exploitation is now more widespread. Volexity identified the previously undiscovered zero-day flaw in Confluence and reported it to Atlassian on May 31. "This allowed the attacker to effectively have a webshell they could interact with through subsequent requests. In its advisory, Atlassian said its cloud services are not vulnerable to CVE-2022-26134.

As reported by The Register, Atlassian first reported finding the flaw on June 2. As the patch is still in the works, and due to the fact that the bug is being ...

Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99. This allowed the attacker to effectively have a webshell they could interact with through subsequent requests. The webshell appears to have been written as a means of secondary access." Atlassian also said companies could implement a Web Application Firewall (WAF) rule to block all URLs containing ${, as that "may reduce your risk”. At first, the company believed only the latest version 7.18 of Confluence Server was vulnerable, as there was evidence of this version being attacked. As reported by The Register, Atlassian first reported finding the flaw on June 2.

Atlassian has released security updates to address a critical zero-day vulnerability in Confluence Server and Data Center actively exploited in the wild to ...

Loading class files into memory and writing JSP shells are the most popular we have seen so far." A similar Atlassian Confluence remote code execution vulnerability was exploited in the wild in September 2021 to install cryptomining malware after a PoC exploit was publicly shared online. The company also released a list of IP addresses used in the attacks and some Yara rules to identify web shell activity on potentially breached Confluence servers. Atlassian has released security updates to address a critical zero-day vulnerability in Confluence Server and Data Center actively exploited in the wild to backdoor Internet-exposed servers. Since it was disclosed as an actively exploited bug, the Cybersecurity and Infrastructure Security Agency (CISA) has also added it to its ' Known Exploited Vulnerabilities Catalog' requiring federal agencies to block all internet traffic to Confluence servers on their networks. The zero-day (CVE-2022-26134) affects all supported versions of Confluence Server and Data Center and allows unauthenticated attackers to gain remote code execution on unpatched servers.

The critical vulnerability lets an unauthenticated user execute arbitrary code on a Confluence Server or Data Center instance.

Mike Parkin, senior technical engineer at Vulcan Cyber, pointed out that Atlassian’s Confluence Server and Confluence Data Center are widely used across multiple industries, so an unauthenticated remote code execution flaw is problematic. Casey Bisson, head of product and developer enablement at BluBracket, said Atlassian tools are used by more than 200,000 enterprises. “Keeping instances isolated from the open internet can mitigate the vulnerability until patches arrive and is a best practice in any case. Fortunately, their widely used cloud platform is not known to be affected.” “Vendors face serious limitations when they encounter new remote code execution exploits, which is why it’s more important than ever for organizations to actively monitor their digital ecosystems on the front and back end.” Atlassian said for customers that access Confluence via an Atlassian.net domain, it’s hosted by Atlassian and not vulnerable.

About this time last week, threat actors began quietly tapping a previously unknown vulnerability in Atlassian software that gave them almost complete ...

The vulnerability is likely also present in unsupported and long-term support versions, security firm Rapid7 said. Some are quite sloppy and others are a bit more stealth. It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways.