Threat Signal Report

New Confluence Vulnerability (CVE-2022-26134) Exploited in the Wild

description-logo Description

UPDATE June 5th 2022: Added IPS coverage to the protection section. A link to Outbreak Alert was added to the Appendix.


FortiGuard Labs is aware of a new vulnerability in Confluence Server and Data Center (CVE-2022-26134) which was reportedly exploited as a zero-day in the wild. Rated critical, successful exploitation of the vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the compromised server. The vulnerability affects all supported versions of unpatched Confluence Server and Data Center.


Why is this Significant?

This is significant because Confluence Server and Data Center (CVE-2022-26134) was reportedly exploited as a 0-day in the wild. The vulnerability is an OGNL injection vulnerability that allows an unauthenticated remote attacker to execute arbitrary code on the compromised server.


Confluence is a widely-used team workspace and collaboration tool developed by Atlassian. It is used to help teams collaborate and share knowledge via a content management system and is used by many large scale enterprise and organizations worldwide. This vulnerability does not have a CVSS score at the moment, but the ease of exploitation via an unauthenticated session and combined with remote code execution is a cause for concern.


What versions of Confluence Server and Data Center are Affected by CVE-2022-26134?

The advisory released by Atlassian states that the following versions are affected:


  • All supported versions of Confluence Server and Data Center
  • Confluence Server and Data Center versions after 1.3.0


What Malware were Deployed to the Compromised Server?

It was reported that China Chopper and a custom file upload shell have been deployed on to compromised servers. China Chopper is a tiny webshell that provides a remote attacker backdoor access to a compromised system.


Has the Vendor Released an Advisory for CVE-2022-26134?

Yes. See the Appendix for a link to "Confluence Security Advisory 2022-06-02".


Has the Vendor Released a Patch?

Yes, Atlassian has released a patch on June 3rd, 2022.


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against the China Chopper webshell and the custom file upload shell that were reportedly deployed on known compromised Confluence servers:


Java/Websh.D!tr
HTML/Agent.D71B!tr


FortiGuard Labs released the following IPS signature in version 21.331:


Atlassian.Confluence.OGNL.Remote.Code.Execution (deafult action is set to Pass)


All known network IOC's associated with attacks leveraging CVE-2022-26134 are blocked by the FortiGuard WebFiltering Client.


Any Suggested Mitigation?

The advisory includes mitigation information. See the Appendix for a link to "Confluence Security Advisory 2022-06-02".

Telemetry


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.