mega-menu-burger mega-menu-close

Actively Exploited Atlassian Confluence Zero-Day CVE-2022-26134

Keep up to date with latest blog posts

On June 2, 2022, Atlassian issued a security advisory for CVE-2022-26134, a critical vulnerability affecting Atlassian Confluence Server and Data Center that allows unauthenticated remote code execution. The vulnerability is actively exploited and Atlassian released fixes for the affected versions.

Which Confluence Servers  Are Affected by the CVE-2022-26134 Vulnerability?

Atlassian has confirmed that the vulnerability affects Confluence Server and Data Center versions after 1.3.0. Therefore, all supported versions of Confluence Server and Data Center are affected by CVE-2022-26134 remote code execution vulnerability.

Supported and Affected Confluence Server and Data Center versions

7.4.0

7.13.6

7.15.0

7.16.3

7.18.0

7.4.16

7.14.0

7.15.1

7.17.0

 

7.13.0

7.14.2

7.16.0

7.17.3

 

What Is the Impact of CVE-2021-26084 Vulnerability?

CVE-2022-26134 allows unauthenticated attackers to execute arbitrary code on Confluence Server or Data Center installations.  Atlassian classifies the severity of the vulnerability as critical, which means exploitation of the vulnerability is likely to compromise servers at the root level, and exploitation is straightforward since the attacker does not require any authentication credentials.

What Should You Do?

Atlassian released fixes for supported and affected versions of Confluence Server and Data Center. Organizations are advised to upgrade to the latest versions.

Fixed versions of Atlassian Confluence Server and Data Center

7.4.17

7.14.3 

7.16.4

7.18.1

7.13.7

7.15.2

7.17.4

 

What is the Current Situation?

Atlassian released fixed versions for Confluence Server and Data Center and public proof of concept (PoC) code is available. U.S. CISA reported that attackers are exploiting the vulnerability in the wild. Since Confluence is a widely used team collaboration software and the CVE-2022-26134 vulnerability is extremely dangerous, threat actors are anticipated to increase their attacks in the coming weeks.

Post-Exploitation TTPs

According to Volexity, attackers’ follow-up actions after successful exploitation of the Confluence Server and Data Center instances are:

1. Deploying an in-memory copy of the open-source Behinder web server implant.

2. Using Behinder, attackers deploy the following shells:

- The JSP variant of the China Chopper web shell (MD5: f8df4dd46f02dc86d37d46cf4793e036, SHA1: 4c02c3a150de6b70d6fca584c29888202cc1deef)

- Custom file upload shell (MD5: ea18fb65d92e1f0671f23372bacf60e7, SHA1: 80b327ec19c7d14cc10511060ed3a4abffc821af)

Since the Behinder implant also has built-in support for interaction with Cobalt Strike and Meterpreter, attackers can also use these post-exploitation tools.

  • Checking operating system versions
  • Accessing  “/etc/passwd” and “/etc/shadow” files for credential dumping
  • Clearing tracks by removing web access logs

How Picus Helps Simulate Atlassian Confluence Server and Data Center CVE-2022-26134 Unauthenticated Remote Code Execution Exploits?

We also strongly suggest simulating Atlassian Confluence Server and Data Center CVE-2022-26134 unauthenticated remote code execution vulnerability exploitation attacks to assess the effectiveness of your security controls using the Picus’ The Complete Security Control Validation Platform. You can test your defenses against the CVE-2022-26134 vulnerability exploitation attacks and assess your security posture against the exploitation of hundreds of commonly exploited vulnerabilities within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threat for CVE-2022-26134 vulnerability: 

Threat ID

Threat Name

58423

Atlassian Confluence Web Attack Campaign

Picus Threat Library also includes attack simulations for previous Atlassian vulnerabilities. This threat currently includes the following actions:

Action ID

Threat Name

CVE

367678

Atlassian Confluence Server OGNL Injection Remote Code Execution Vulnerability Variant-1

CVE-2021-26084

421887

Atlassian Confluence Cross-Site Scripting Vulnerability

CVE-2018-5230

530383

Atlassian Confluence Server OGNL Injection Remote Code Execution Vulnerability Variant-2

CVE-2021-26084

541281

Atlassian Confluence Remote Code Execution via LFI Vulnerability

CVE-2019-3398

553673

Atlassian Confluence Remote Code Execution via Macro Preview Feature Variant-1

CVE-2019-3396

726719

Atlassian Confluence Remote Code Execution via Macro Preview Feature Variant-2

CVE-2019-3396

   890767

Atlassian Confluence Data Center Remote Code Execution Vulnerability Variant-1

CVE-2022-26134

 

 

Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address the Atlassian Confluence CVE-2022-26134 RCE and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures:

Security Control

Signature ID

 

Signature Name

F5 BIG-IP

200003439

Java code injection - java/lang/Runtime (URI)

Fortigate IPS

51648

applications3: Atlassian.Confluence.OGNL.Remote.Code.Execution

PaloAlto IPS

92632

Atlassian Confluence Remote Code Execution Vulnerability

Snort

1.59934.1

SERVER-WEBAPP Atlassian Confluence OGNL expression injection attempt

SourceFire IPS

1.59934.1

SERVER-WEBAPP Atlassian Confluence OGNL expression injection attempt

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus’ The Complete Security Control Validation Platform.

Threat Hunting

Volexity published YARA rules to hunt webshell activity. 

Indicators of Compromise (IoC)

IP Addresses:

  • 156.146.34.9
  • 156.146.56.136
  • 198.147.22.148
  • 45.43.19.91
  • 66.115.182.102
  • 66.115.182.111
  • 67.149.61.16
  • 154.16.105.147
  • 64.64.228.239
  • 156.146.34.52
  • 154.146.34.145
  • 198.147.22.148
  • 221.178.126.244
  • 59.163.248.170
  • 98.32.230.38

SHA1 Hashes:

4c02c3a150de6b70d6fca584c29888202cc1deef

80b327ec19c7d14cc10511060ed3a4abffc821af

Subscribe

Keep up to date with latest blog posts