0-day Atlassian Confluence vulnerability, no patch yet. Known as CVE-2022-26134 it was acknowledged by the Atlassian team on the 31st May 2022.
Update 04/06/2022: patch for the Atlassian Zero day is available here.
A quick google search for “Confluence wiki”, CSIRO pops up an already disabled confluence site, any attacker has much more capable tools than I do to find exposed Confluence wikis from a simple google search – I am not even searching for the default wiki html page.
Running Atlassian confluence as your corporate Wiki? then you need to block external (internet) access to Confluence immediately. The Atlassian confluence vulnerability is being actively exploited already by state based actors today so take action immediately.
Volexity team found the flaw last weekend when they found suspicious activity on servers running Atlassian Confluence Server software. The team conducted the investigation after discovering JSP webshells on the server disk, which was a copy of the JSP variant of the China Chopper webshell. Later they were able to determine the server compromise stemmed from an attacker launching an exploit to achieve remote code execution.
Volexity
Rather than repeat some very good information already provided, Cyberkendra here has a good write up on the issue and how it was discovered.
Atlassian 0 day summary
Block external access to Confluence immediately, the ease at which this 0 day can be discovered by an attacker and subsequently exploited means you must prevent access to confluence immediately.
Atlassian will provide a patch for this shortly and Endpoint Detection and Response vendors will also be providing updates to detect exploits using this vulnerability shortly.
There is additional information here.
Please contact us here if you would like any further information or assistance.
Leave a Reply