Critical zero-day vulnerability detected in Atlassian's Confluence prompting CISA to issue an alert
In a recent development, a critical zero-day vulnerability has been discovered in Atlassian's Confluence Server and Data Center. This vulnerability, identified as CVE-2022-26134, is currently under active exploit and could allow an external attacker to take control over a system.
The discovery was made by Volexity, a cybersecurity company, over the Memorial Day weekend at a customer with two internet-facing web servers running Atlassian Confluence Server. According to Steven Adair, the president of Volexity, this vulnerability can be exploited remotely by anyone that can contact the Confluence systems.
Atlassian, the company behind the affected products, has confirmed that all supported versions of Confluence Server and Data Center are affected. The company has warned customers to consider restricting access to or disabling Confluence Server and Data Center instances.
The vulnerability is a Webwork Object-Graph Navigation Language injection vulnerability, as Atlassian described in late August. This type of vulnerability allows an attacker to execute arbitrary code on the server, potentially leading to a system takeover.
U.S. Cyber Command and the Cybersecurity and Infrastructure Security Agency (CISA) have both warned all organizations to immediately patch Confluence following the disclosure of the vulnerability. CISA has even gone so far as to add this vulnerability to its Known Exploited Vulnerabilities Catalog, indicating that it is being actively exploited in the wild.
The exploitation of this vulnerability can lead to the deployment of malicious implants, such as the Behinder implant. This implant offers attackers serious capabilities, including support for interaction with Meterpreter and Cobalt Strike. After exploiting Confluence Server, the attacker deployed an in-memory copy of the Behinder implant, which has source code available on GitHub.
The discovery of this vulnerability in Atlassian's Confluence Server highlights the importance of understanding and addressing potential security risks in technology stacks. Corporate stakeholders want to better understand the risk calculus of their technology stacks, answering the question: Are we a target? This question pertains to the evolving role of Chief Information Security Officers (CISOs).
Atlassian expects to make security fixes available by the end of the day Friday. Satnam Narang, senior staff research engineer at Tenable, stated that the vulnerability is a reminder that attackers have previously targeted Atlassian products like Confluence.
Federal agencies must immediately disconnect all internet traffic to and from Confluence Server and Data Center products, according to CISA. This urgent action is necessary to protect against potential exploitation of this critical vulnerability.
In conclusion, the discovery of the zero-day vulnerability in Atlassian's Confluence Server underscores the need for vigilant cybersecurity practices. Organizations are advised to patch their systems as soon as possible to mitigate the risks associated with this vulnerability.
