Confluence Server and Data Center Vulnerability
This article discusses the Confluence server and data center vulnerability that affects most versions of Confluence. This vulnerability can allow attackers to steal data from a company’s server, deploy ransomware, or access private files. While the technical details of the exploit are available online, it is critical that you patch your system as soon as possible. Here’s how to patch Confluence servers and data centers.
An Atlassian security advisory was released on June 2, 2022, addressing a critical, unpatched remote code execution vulnerability in Confluence Server and Data Center. The security advisory cites cybersecurity firm Volexity as a source for the discovery of the flaw, but does not disclose the specific details of the exploit. An attacker who successfully exploits the flaw can create a new admin account, execute commands, and take control of the server.
Atlassian has confirmed the Confluence server vulnerability and assigned CVE-2022-26134 to it. The company also advises customers to block access to their Confluence Server instances via a web application firewall rule. The researchers are unwilling to disclose the exact method used, but did provide information on the shells dropped when an attack occurs. As a result, Atlassian is recommending that customers upgrade to the latest Long Term Support version.
During the investigation, cybersecurity firm Volexity found proofs of this vulnerability. The vulnerability allows attackers to execute arbitrary code in Confluence Server and Data Center versions after 1.3. This vulnerability does not affect users of Confluence Cloud, but affects users of on-premise Confluence Server and Data Center. If the “Allow people to create account” option is enabled, it can allow attackers to execute commands on the server.
Patching the Confluence Server and Data Center Vulnerability
An attacker can exploit this Confluence Server and Data Center vulnerability by sending a specially crafted request to a publicly accessible Confluence server. This would enable the attacker to execute any code they wanted on the server, and possibly take over the system. While details of this vulnerability are not public, an attacker could take advantage of the vulnerability by sending a specially crafted request to the server and data center. However, the exploitation method is not yet tested, so users should upgrade to the latest Long Term Support release to prevent further attacks.
The attackers used two internet facing web servers running Atlassian Confluence Server software. Each server was compromised using a single exploit. The attackers then launched the exploit to execute arbitrary code. The attackers used a custom file upload shell and a command injection vulnerability. They also deployed the Behinder web shell to spread malware and exfiltrate arbitrary files. The attack was effective because the attacker did not need to write a backdoor file on the server.
In May 2022, Datadog Security Research and Volexity validate the vulnerability and notify Atlassian. Atlassian confirms the vulnerability, assigns CVE-2022-26134 to the vulnerability, and releases a security advisory for it on June 2, 2022. After several months, this vulnerability will still be patched in future versions of the Confluence server. However, it is important to upgrade as soon as possible because many confluence servers are not sufficiently patched.