Software company Atlassian has asked Confluence users to restrict the tool's internet access or shut it down entirely after finding a very serious flaw that is being exploited in the wild.

The collaboration tool (Opens in a new tab) has had a bug for several years that allows hackers to mount unauthenticated remote code execution attacks against target endpoints (Opens in a new tab), confirmed the society.

As reported by The Register, Atlassian first reported finding the flaw on June 2. As the fix is ​​still being worked on and the bug is being actively exploited, the company urged customers to take alternative measures.

A decade of risk

At first, the company believed that only the latest version 7.18 of Confluence Server was vulnerable, as there was evidence that this version was under attack. However, further investigation revealed that all versions (starting with 1.3.5) were vulnerable. Version 1.3.5 was released almost ten years ago, in 2013.

The solution (opens in a new tab) is still under development, and the company promises that it will be released by the end of the day (June 3). While that's certainly good news, it's possible that not all companies will be there in time for the patch, given that it's Friday.

Those who want to sleep easy over the weekend have several options: restrict Internet access for Confluence Server and Data Center instances, or disable Confluence Server and Data Center instances altogether. Atlassian also said that companies could implement a web application firewall (WAF) rule to block all URLs containing €{, as it "can reduce your risk."

The flaw, identified as CVE-2022-26134, was first discovered by security firm Volexity. The company says that attackers could insert a webshell of the Jave server page into a publicly accessible web directory on a Confluence server.

"The file was a known copy of the China Chopper webshell JSP variant," Volexity wrote. “However, an examination of web logs showed that the file was barely accessed. The webshell appears to have been written as a secondary means of access."

Confluence's web application process was also found to launch bash shells, which "stood out," Volexity said, because it spawned a bash process that spawned a Python process, spawning a bash shell. .

“Volexity believes the attacker launched a single exploit attempt… which in turn loaded a malicious class file into memory. subsequent requests. The advantage of such an attack was that the attacker did not have to continuously re-exploit the server and execute commands without writing a backdoor file to disk."

Via The Register (Opens in a new tab)

Share This