A major Atlassian Confluence vulnerability recently discovered in almost every version of the collaboration tool (opens in a new tab) released over the past decade is now being actively exploited by threat actors, confirmed the society.
The vulnerability allows threat actors to mount unauthenticated remote code execution attacks against targeted endpoints (Opens in a new tab). A day after its discovery, the company released patches for versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1.
Since the flaw is being actively exploited, the company has urged its users and customers to update the tool (opens in a new tab) to the latest version immediately. It is tracked as CVE-2022-26134, but does not yet have a severity score. Atlassian listed it as "critical."
Limit internet access
It was first discovered by security firm Volexity, which said attackers could insert a Java Server Page webshell into a publicly accessible web directory on a Confluence server.
The Confluence web application process was also found to launch bash shells, which "stood out," Volexity said, because it spawned a bash process which spawned a Python process, spawning a bash shell. .
Confluence users who are unable to apply the patch for whatever reason have some additional mitigation options, revolving around limiting internet access for the tool. During development of the patch, the company advised users to restrict Internet access for Confluence Server and Data Center instances, or disable Confluence Server and Data Center instances altogether.
Atlassian also said that companies could implement a web application firewall (WAF) rule to block all URLs containing €{, as it "can reduce your risk."
Although the company emphasized "current active exploitation" in its notice, it did not specify who is using it or against whom.
Via: The Registry (Opens in a new tab)