Atlassian: Unpatched years-old flaw under attack right now to hijack Confluence

One option: Take the thing offline until Friday patch applied


Updated Atlassian has warned users of its Confluence collaboration tool that they should either restrict internet access to the software, or disable it, in light of a critical-rated unauthenticated remote-code-execution flaw in the product that is actively under attack.

An advisory dated June 2, 1300 PT (2000 UTC), does not describe the nature of the flaw, and reveals "current active exploitation" has been detected. No patch is available.

The flaw is present in version 7.18 of Confluence Server, which is under attack, as well as potentially versions 7.4 and higher of Confluence Server and Confluence Data Center. Version 7.4 is a long-term support edition.

"There are currently no fixed versions of Confluence Server and Data Center available," the advisory states. "Atlassian is working with the highest priority to issue a fix."

Atlassian suggests that while customers wait for the fix to land, they "should work with their security team to consider the best course of action." The Australian software house's "options to consider" are:

  • Restricting Confluence Server and Data Center instances from the internet.
  • Disabling Confluence Server and Data Center instances.

The first option is probably easier for most users to implement, though could cause significant disruption for remote workers unless there's some kind of VPN solution in place. The second will definitely cause significant internal disruption.

No timeframe has been offered for delivery of a fix nor has Atlassian offered any hint about the complexity of work required to address the issue.

While any critical-rated flaw that's under attack is very bad news, many Atlassian users may have dodged the bullet because version 7.18 of Confluence Server was announced on May 30 and is therefore unlikely to be widely deployed. Indeed, few may have been planning to adopt the new code, as version 7.19 is designated as a Long Term Support release.

Users of Confluence 7.4 have more to worry about, as that version was released in April 2020, and it is "potentially vulnerable," according to Atlassian.

News of the flaw, tracked as CVE-2022-26134, comes after Atlassian's cloud services experienced a two-week outage in April 2022. ®

Updated to add at 0205 UTC, June 3

The US Cybersecurity and Infrastructure Security Agency has issued an advisory in which it "urges organizations with affected Atlassian's Confluence Server and Data Center products to block all internet traffic to and from those devices until an update is available and successfully applied."

Security company Volexity, which reported the flaw to Atlassian, has published an analysis of the situation that suggests attackers are able to insert a Java Server Page (JSP) webshell into a publicly accessible web directory on Confluence servers.

"The file was a well-known copy of the JSP variant of the China Chopper webshell," Volexity wrote. "However, a review of the web logs showed that the file had barely been accessed. The webshell appears to have been written as a means of secondary access."

The security company also found the Confluence web application process launching bash shells. "This stood out because it had spawned a bash process which spawned a Python process that in turn spawned a bash shell," the company's post states.

"Volexity believes the attacker launched a single exploit attempt … which in turn loaded a malicious class file in memory. This allowed the attacker to effectively have a webshell they could interact with through subsequent requests. The benefit of such an attack allowed the attacker to not have to continuously re-exploit the server and to execute commands without writing a backdoor file to disk."

Updated to add at 0730 UTC, June 3

Atlassian has good news and bad news about this bug.

The bad news is it's been found to impact Confluence all the way back to version 1.3.5, which was released more than a decade ago. The good is the tech giant has promised a patch by the end of June 3, Pacific Time.

Maybe that's bad news, as that timing means the patch will arrive on the weekend for most of the world.

In the meantime, Atlassian says implementing a WAF (Web Application Firewall) rule that blocks URLs containing ${ "may reduce your risk."

Updated to add at 1845 UTC, June 3

The security patch you are looking for is now available: versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 have been released, which contain a fix for this issue, according to Atlassian.

Similar topics


Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022