Skip to main content

Security Alert: Atlassian Confluence Server and Data Center

Date:
2022-06-03 14:30:00
Status:
Closed
Brief Description:
Atlassian has published details on a zero-day unauthenticated remote code execution vulnerability in all currently supported versions of Confluence Server and Confluence Data Center, identified as CVE-2022-26134.
Current Status:
The issue has been resolved.
Services Affected:
Web Hosting
Wikis
Subsites Affected:
Cornell Secure File Transfer
Full Description:
OVERVIEW
Atlassian has published details on a zero-day unauthenticated remote code execution vulnerability in all currently supported versions of Confluence Server and Confluence Data Center, identified as CVE-2022-26134. Atlassian states this vulnerability is under known active exploitation. An attacker can exploit this vulnerability to run arbitrary code on the server in the security context of the Confluence server application.

RECOMMENDATIONS
For Cornell Confluence:
The central Cornell Confluence instances at confluence.cornell.edu are vendor-hosted and managed by the vendor, Contegix. The service managers will coordinate with the vendor on mitigations and patching.
https://it.cornell.edu/confluence

For other Confluence Server and Data Center instances:
Follow the Atlassian Security Advisory in the References section below and patch Confluence Server and Data Center as soon as a patch becomes available. The vendor’s ETA is end of day today, June 3, 2022.

Restrict access to any unmanaged Confluence instances to Cornell networks and 10-Space:
https://it.cornell.edu/dns/ip-addresses-and-subnets-cornell
https://it.cornell.edu/dns/what-10-space-and-what-does-it-do
Or temporarily disable any unmanaged Confluence instances until a patch is available.

If you cannot restrict access, block or filter any requests to Confluence Server and Data Center containing the following string:
${

If you suspect exploitation, some artifacts to look for include:
— Confluence or web server logs for client requests containing the string ${
— Unusual new files, services, or daemons (e.g., webshells)
— Volexity observed an attacker replacing a Confluence component with a web shell. The file was located at “/confluence/noop.jsp”
— Evidence of a shell spawned with a find command like: /bin/sh -c cd /tmp/;find / -perm +4000 -ls >a.txt
— This may result in the following log entry for Catalina, the Apache Tomcat servlet container, due to the time the find command takes to run:
at sun.sjhcufv.ffmtys.pmx.Mkzlznuz.RunCMD(Cmd.java:67)
at sun.sjhcufv.ffmtys.pmx.Mkzlznuz.equals(Cmd.java:29)
at test.Inject.myValve.invoke(myValve.java:35)
— Confluence or database logs indicating a dump of Confluence database content
— Unusual user accounts – newly added or behaving irregularly
— Unknown/unusual network connections or listening ports
— Unusual creation/modification times of added or changed files

SYSTEMS AFFECTED
Confluence Server, all supported versions.
Confluence Data Center, all supported versions.

REFERENCES
Atlassian Security Advisory: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
Volexity: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
CIT TDX ID:
714685