Fri | Jun 3, 2022 | 2:20 PM PDT

Malicious threat actors have been found to be exploiting a Zero-Day vulnerability in Atlassian Confluence, tracked as CVE-2022-26134, which the company describes in a security advisory as "a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server."

This vulnerability allows an unauthenticated third-party to run arbitrary code on a Confluence Server or Data Center instances. 

While there are no patches yet available, Atlassian tells its customers that it can mitigate the vulnerability by making their servers inaccessible, which can be done in by either restricting or disabling Confluence Server and Data Center instances from the internet.

Atlassian recommends that you upgrade to the latest Long Term Support release. For a full description of the latest version, see the Confluence Server and Data Center Release Notes. You can download the latest version from the download centre.

Note: If you run Confluence in a cluster, you will not be able to upgrade to the fixed versions without downtime, also known as a rolling upgrade. Follow the steps in Upgrading Confluence Data Center.

Atlassian continues to say that if you are unable to upgrade Confluence immediately, then you can mitigate the critical vulnerability by updating files for the specific version of the product. Technical information on how to do this can be found in the company's advisory.

Atlassian Confluence vulnerability added to CISA catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog, and will be requiring all federal agencies to immediately block all internet traffic to and from Atlassian's Confluence Server and Data Center products until an update is available and successfully applied.

Cybersecurity firm Volexity shared information about how the vulnerability was discovered:

"Over the Memorial Day weekend in the United States, Volexity conducted an incident response investigation involving two Internet-facing web servers belonging to one of its customers that were running Atlassian Confluence Server software. The investigation began after suspicious activity was detected on the hosts, which included JSP webshells being written to disk. Volexity immediately used Volexity Surge Collect Pro to collect system memory and key files from the Confluence Server systems for analysis.

After a thorough review of the collected data, Volexity was able to determine the server compromise stemmed from an attacker launching an exploit to achieve remote code execution. Volexity was subsequently able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server."

Volexity continues to analyze the exploit, stating how critical this vulnerability is:

"When initially analyzing the exploit, Volexity noted it looked similar to previous vulnerabilities that have also been exploited in order to gain remote code execution. These types of vulnerabilities are dangerous, as attackers can execute commands and gain full control of a vulnerable system without credentials as long as web requests can be made to the Confluence Server system. It should also be noted that CVE-2022-26134 appears to be another command injection vulnerability. This type of vulnerability is severe and demands significant attention.

Volexity believes the attacker launched a single exploit attempt at each of the Confluence Server systems, which in turn loaded a malicious class file in memory. This allowed the attacker to effectively have a webshell they could interact with through subsequent requests. The benefit of such an attack allowed the attacker to not have to continuously re-exploit the server and to execute commands without writing a backdoor file to disk."

The cybersecurity company also notes that it believes this exploit is currently in use by multiple threat actors and that the likely country of origin of these attackers is China.

For more information, see the security advisory from Atlassian and the analysis from Volexity.