- The Cybersecurity and Infrastructure Security Agency (CISA) is warning businesses about a critical zero-day vulnerability in Atlassian’s Confluence Server and Data Center, which is under active exploit and could allow an outside attacker to take control over a system.
- CISA added the vulnerability, CVE-2022-26134, to its Known Exploited Vulnerabilities Catalog Thursday. Federal agencies must immediately disconnect all internet traffic to and from Confluence Server and Data Center products, CISA said.
- “As for the severity, this is about as bad as it gets,” said Steven Adair, president of Volexity, the research firm that discovered the vulnerability and alerted Atlassian. “This vulnerability can be exploited remotely by anyone that can contact the Confluence systems.”
Volexity discovered the problem over the Memorial Day weekend when it found Java server page (JSP) webshells being written to disk at a customer with two internet-facing web servers running Atlassian Confluence Server, according to a blog post from Volexity.
The JSP file, a copy of the JSP variant of the China Chopper webshell, was written into a publicly accessible web directory, according to Volexity.
After processing acquired memory samples, the researchers identified bash shells launched by the Confluence web application process. After exploiting Confluence Server, the attacker deployed an in-memory copy of the Behinder implant, which has source code available on GitHub. The implant offers attackers serious capabilities, including support for interaction with Meterpreter and Cobalt Strike, according to the Volexity.
Atlassian said all supported versions of Confluence Server and Data Center are affected and it expects to make security fixes available by the end of the day Friday.
Customers should consider restricting access to or disabling Confluence Server and Data Center instances, according to Atlassian.
Satnam Narang, senior staff research engineer at Tenable, said the vulnerability is a reminder that attackers have previously targeted Atlassian products like Confluence.
Late last summer, U.S. Cyber Command warned all organizations to immediately patch Confluence. Atlassian in late August warned of a critical Confluence vulnerability listed as CVE-2021-26084, or the Confluence Server Webwork Object-Graph Navigation Language injection vulnerability.