Atlassian issued security updates for a critical zero-day vulnerability in Confluence Server and Data Center, the flaw was exploited in the wild to backdoor web-exposed servers. The zero-day (CVE-2022-26134) vulnerability impacts all versions that support Confluence Server and Data Center, it allows threat actors to access remote code execution on unpatched servers. As the vulnerability was reported as actively exploited bug, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its "Known Exploited Vulnerabilites Catalog".
It means federal agencies can block all web traffic to Confluence servers on their networks. Atlassian has released patches and asked its customers to update their devices to versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1, that have been patched for this vulnerability. "We strongly recommend upgrading to a fixed version of Confluence as there are several other security fixes included in the fixed versions of Confluence," it says.
Users who can't upgrade their Confluence installs for now can use temporary workaround and mitigate the CVE-2022-26134 security vulnerability via upgrading few JAR files on their confluence servers. The flaw was discovered by cybersecurity firm Volexity. During investigation, the firm found that zero-day was used to deploy a BEHINDER JSP web shell, it allowed the hackers to perform remote code execution on the servers. Threat actors also used a China Chopper web shell and a file upload software as backups to keep access to the hacked servers.
Volexity researchers believe that various hackers from China are using CVE-2022-26134 flaws to gain access into web-exposed and unpatched Confluence servers. "The targeted industries/verticals are quite widespread. This is a free-for-all where the exploitation seems coordinated. It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth. Loading class files into memory and writing JSP shells are the most popular we have seen so far," said Volexity.
