Threat actors are using public exploits to pummel a critical zero-day remote code execution (RCE) flaw that affects all versions of a popular collaboration tool used in cloud and hybrid server environments and allows for complete host takeover.
Researchers from Volexity uncovered the flaw in Atlassian Confluence Server and Data Center software over the Memorial Day weekend after they detected suspicious activity on two internet-facing web servers belonging to a customer running the software, they said in a blog post published last week.
The researchers tracked the activity to a public exploit for the vulnerability, CVE-2022-26134, that’s been spreading rapidly, and subsequently reported the flaw to Atlassian. As observed by Volexity researchers, what’s being described as an “OGNL injection vulnerability” appears to allow for a Java Server Page (JSP) webshell to be written into a publicly accessible web directory on Confluence software.
“The file was a well-known copy of the JSP variant of the China Chopper webshell,” researchers wrote. “However, a review of the web logs showed that the file had barely been accessed. The webshell appears to have been written as a means of secondary access.”
Atlassian released a security advisory the same day that Volexity went public with the flaw, warning customers that all supported version of Confluence Server and Data Center after version 1.3.0 were affected and that no updates were available. This prompted the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) to issue a warning of its own about the flaw.
A day later, Atlassian released an update that fixes the following versions of the affected products: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1; it’s also strongly recommending that customers update as soon as they can. If that’s not possible, the company provided in the advisory what it stressed is a “temporary” workaround for the flaw by updating a list of specific files that correspond to specific versions of the product.
Threat Escalation
In the meantime, the situation is escalating quickly into one that security professionals said could reach epic proportions, with exploits surfacing daily and hundreds of unique IP addresses already throttling the vulnerability. Many versions of the affected products also remain unpatched, which also creates a dangerous situation.
“CVE-2022-26134 is about as bad as it gets,” observed Naveen Sunkavalley, chief architect of security firm Horizon3.ai, in an email to Threatpost. Key issues are that the vulnerability is quite easy both to find and exploit, with the latter possible using a single HTTP GET request, he said.
Moreover, the public exploits recently released that allow attackers to use the flaw to enable arbitrary command execution and take over the host against a number of Confluence versions—including the latest unpatched version, 7.18.0, according to tests that Horizon3.ai has conducted, Sunkavaley said.
Indeed, Twitter was blowing up over the past weekend with discussions about public exploits for the vulnerability. On Saturday, Andrew Morris, the CEO of cybersecurity firm GreyNoise tweeted that they had begun to see 23 unique IP addresses exploiting the Atlassian vulnerabilities. On Monday, Morris tweeted again that the number of unique IP addresses attempting to exploit the flaw had risen to 400 in just a 24-hour period.
Potential for a SolarWinds 2.0?
Sunkavalley pointed out that the most obvious impact of the vulnerability is that attackers can easily compromise public-facing Confluence instances to gain a foothold into internal networks, and then proceed from there to unleash even further damage.
“Confluence instances often contain a wealth of user data and business-critical information that is valuable for attackers moving laterally within internal networks,” Sunkavalley said.
What’s more, the vulnerability is a source-code issue, and attacks at this level “are some of the most effective and long reaching attacks on the IT ecosystem,” observed Garret Grajek, CEO of security firm YouAttest.
The now-infamous Solarwinds supply-chain attack that started in December 2020 and extended well into 2021 was an example of the level of damage and magnitude of threat that embedded malware can have, and the Confluence bug has the potential to create a similar scenario, he said.
“By attacking the source code base the hackers are able to manipulate the code to become, in fact, agents of the hacking enterprise, cryptographically registered as legitimate components on the IT system,” Grajek said.
For this reason, it’s “imperative that enterprises review their code and most importantly the identities that have control of the source system, like Atlassian, to ensure restrictive and legitimate access to their vital code bases,” he asserted.