On Friday, Atlassian released patches for a severe security weakness in its Confluence Server and Data Center products. This flaw, CVE-2022-26134, has been actively exploited by threat actors to get remote code execution. It is similar to the CVE-2021-26084 vulnerability, which was fixed by the Australian software business in August 2021.
Both are related to a scenario of Object-Graph Navigation Language (OGNL) injection on a Confluence Server or Data Center instance that might be used to execute arbitrary code. The recently disclosed flaw affects all supported versions of Confluence Server and Data Center, including all versions after 1.3.0. The following versions have been updated to fix the issue:
- 7.4.17
- 7.13.7
- 7.14.3
- 7.15.2
- 7.16.4
- 7.17.4
- 7.18.1
The data from internet asset discovery platform Censys reveals that there are around 9,325 services running a vulnerable version of Atlassian Confluence on 8,347 different hosts, with the majority of instances in the United States, Russia, China, Germany, and France. Proof of active exploitation of the issue, most likely by Chinese attackers, was uncovered in an incident response investigation by cybersecurity firm Volexity during Memorial Day weekend in the United States.
“The targeted industries/verticals are quite widespread,” Steven Adair, founder and president of Volexity, said in a series of tweets. “This is a free-for-all where the exploitation seems coordinated.”
“It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth.”
In addition to adding the 0-day flaw to its Known Exploited Vulnerabilities Catalog, the US Cybersecurity and Infrastructure Security Agency (CISA) has also asked government agencies to immediately stop all internet traffic from and to the impacted products and either deploy the updates or delete the instances until 5 p.m. ET of June 6, 2022.