Skip to main content
close search
site logo
Dive Brief

CISA issues warning after critical zero day hits Atlassian's Confluence

No patch or workaround is currently available and federal agencies are required to disconnect from the application

Published June 3, 2022
David Jones's headshot
Reporter
cybersecurity stock photo
Yudram_TA via Getty Images
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • The Cybersecurity and Infrastructure Security Agency (CISA) is warning businesses about a critical zero-day vulnerability in Atlassian’s Confluence Server and Data Center, which is under active exploit and could allow an outside attacker to take control over a system.
  • CISA added the vulnerability, CVE-2022-26134, to its Known Exploited Vulnerabilities Catalog Thursday. Federal agencies must immediately disconnect all internet traffic to and from Confluence Server and Data Center products, CISA said.
  • “As for the severity, this is about as bad as it gets,” said Steven Adair, president of Volexity, the research firm that discovered the vulnerability and alerted Atlassian. “This vulnerability can be exploited remotely by anyone that can contact the Confluence systems.”

Dive Insight:

Volexity discovered the problem over the Memorial Day weekend when it found Java server page (JSP) webshells being written to disk at a customer with two internet-facing web servers running Atlassian Confluence Server, according to a blog post from Volexity.

The JSP file, a copy of the JSP variant of the China Chopper webshell, was written into a publicly accessible web directory, according to Volexity. 

After processing acquired memory samples, the researchers identified bash shells launched by the Confluence web application process. After exploiting Confluence Server, the attacker deployed an in-memory copy of the Behinder implant, which has source code available on GitHub. The implant offers attackers serious capabilities, including support for interaction with Meterpreter and Cobalt Strike, according to the Volexity. 

Atlassian said all supported versions of Confluence Server and Data Center are affected and it expects to make security fixes available by the end of the day Friday. 

Customers should consider restricting access to or disabling Confluence Server and Data Center instances, according to Atlassian.

Satnam Narang, senior staff research engineer at Tenable, said the vulnerability is a reminder that attackers have previously targeted Atlassian products like Confluence. 

Late last summer, U.S. Cyber Command warned all organizations to immediately patch Confluence. Atlassian in late August warned of a critical Confluence vulnerability listed as CVE-2021-26084, or the Confluence Server Webwork Object-Graph Navigation Language injection vulnerability. 

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell