Threat Response – Zero-day vulnerability in Atlassian Confluence
On Thursday June 2nd a zero-day vulnerability in Atlassian Confluence was made public (CVE-2022-26134) . This vulnerability allows an unauthenticated attacker to execute arbitrary code on a Confluence Server.
Cyber Security company Volexity  has seen an attack that exploits the zero-day vulnerability. In the investigation conducted by Volexity, the threat actor installed BEHINDER , which is a JSP web shell that allows attackers to remotely execute code on the compromised server. At least the following versions have been found to be vulnerable:
- Confluence Server 7.18.0
- Confluence Data Center 7.4.0 and above
Atlassian indicates that probably all versions are vulnerable.
At this moment there is no patch available for Confluence Server and Data Center.
Currently, this vulnerability is already being exploited. However, it is currently impossible to estimate how frequently this vulnerability is exploited. Attacks that make use of this vulnerability have already been observed. Northwave expects that the number of attacks that exploit this vulnerability will increase in the near future.
At this point, threat actors are actively exploiting the vulnerability. Confluence Servers can often be accessed directly from the internet, making it easy for an attacker to attack a vulnerable server. For these reasons, we currently assess the risk as high.
Successful exploitation of this vulnerability could allow an attacker to execute code remotely. This zero-day vulnerability is actively exploited by attackers. For this reason, we estimate the impact as high.
At this moment there is no known mitigation other than disabling your Confluence Servers and Data Center instances or restricting access from the Internet.
What should you do?
There are currently no patches available, so make sure you:
- Restrict access to your Confluence environment that is accessible from the internet
- Or (if restricting access is not possible) disable your Confluence environment.
Volexity has shared Yara rules  available to identify related web shell activity on Confluence environments. In addition, Volexity has also shared a list of IP addresses  that are actively exploiting this vulnerability.
Atlassian expects to release a patch within 24 hours. Be sure to install this patch as soon as it becomes available.
What will Northwave do?
Northwave will monitor developments around these vulnerabilities. When possible, we will add detection rules around these vulnerabilities to the Northwave Detection Platform. We will reach out to you again if there are important updates, including if the threat posed by this activity increases. If you have any questions or require any additional information please reach out to us by phone or email.
E-mail: [email protected] Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 Disclaimer applies, see below.
Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.
Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)
Disclaimer applies, see below.
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.