Critical Atlassian Confluence flaw exploited in the wild

A new critical remote code execution bug in enterprise collaboration software Atlassian Confluence is under attack, and no patch is currently available.

The vulnerability, which was first discovered by incident response vendor Volexity, was made public via a Thursday security advisory from Atlassian. In the advisory, Atlassian said the flaw, CVE-2022-26134, was a "critical severity unauthenticated remote code execution vulnerability in Confluence Server and Data Center" that is currently being exploited by threat actors.

Confluence Data Center and Server are two versions of the Confluence wiki available to enterprises, with the main difference being that the former has more features. In its advisory, Atlassian said its cloud services are not vulnerable to CVE-2022-26134.

The vulnerability affects all versions of Confluence Data Center and Server, and patches have not been issued yet. However, Atlassian said in its advisory that it expects updates to be available by end of day Friday.

UPDATE: Atlassian has released patches to address the vulnerability in Confluence Data Center and Server products. Complete mitigation and update instructions are available on Atlassian's advisory.

In addition to the advisory, Volexity published a blog post Thursday that provided more technical detail on the threat. Volexity researchers explained that the flaw was discovered when the vendor was conducting an incident response investigation into two compromised web-facing servers. Volexity identified the previously undiscovered zero-day flaw in Confluence and reported it to Atlassian on May 31.

The blog described CVE-2022-26134 as a command injection vulnerability that allows attackers to "execute commands and gain full control of a vulnerable system without credentials as long as web requests can be made to the Confluence Server system."

.@Volexity discovers zero-day exploit impacting all current versions of Atlassian Confluence Server and Data Center. Attackers deploy in-memory Java implant to evade detection. Read more in our latest blog post: https://t.co/aCSwnSUfj8 #DFIR #ThreatIntel #InfoSec

— Volexity (@Volexity) June 2, 2022

"Volexity believes the attacker launched a single exploit attempt at each of the Confluence Server systems, which in turn loaded a malicious class file in memory," the blog read. "This allowed the attacker to effectively have a webshell they could interact with through subsequent requests. The benefit of such an attack allowed the attacker to not have to continuously re-exploit the server and to execute commands without writing a backdoor file to disk."

In a follow-up tweet, Volexity president Steven Adair warned that multiple threat actors, likely based in China, were in possession of the Atlassian Confluence exploit. He added that since publishing the blog post, Volexity learned of additional compromised organizations and that exploitation is now more widespread.

Asked about the scope of exploitation beyond those described in Volexity's blog, an Atlassian spokesperson said the following:

"We have contacted all potentially vulnerable customers directly to notify them of the fix," the spokesperson said. "As this vulnerability only impacts customers using on-premises versions of Confluence, our visibility in regards to the scope of impact is limited to what customers share with us. So far, we have been made aware of targeted exploitation for only a few customers. Our support team is working directly with these and other customers to ensure a security patch is implemented."

Atlassian recommended customers "work with their security team to consider the best course of action" until a fix is released. The vendor advised restricting Confluence Server and Data Center internet access or outright disabling instances of the software as potential options. For those unable to do either, Atlassian said implementing a web application firewall rule may reduce risk.

Atlassian Confluence is no stranger to critical vulnerabilities. Last September, a similarly severe remote code execution bug was found in the software.

Atlassian did not respond to SearchSecurity's request for comment.

Alexander Culafi is a writer, journalist and podcaster based in Boston.