Atlassian Warns of Active Exploitation of Unpatched Critical Confluence Flaw


Atlassian has published a security advisory about a new critical flaw impacting its Confluence Server and Data Center products. The company warned IT teams that the security vulnerability could lead to unauthenticated remote code execution (RCE).

The security vulnerability, tracked as CVE-2022-26134, was discovered by the cybersecurity company Volexity. Atlassian released an advisory about the vulnerability on June 2, explaining that it was found in all supported versions of Confluence and Data Center. The flaw is also potentially affecting some unsupported versions of the enterprise solution.

“Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server,” the company explained. “We expect that security fixes for supported versions of Confluence will begin to be available for customer download within 24 hours (estimated time, by EOD June 3 PDT).”

According to the security advisory, the remote code execution flaw doesn’t impact Atlassian Cloud sites. This means that all Confluence sites accessed via an domain are not vulnerable.

Atlassian urges IT Pros to block internet access to the Confluence Server and Data Center products

Atlassian has urged IT administrators to either restrict internet access to both products or completely disable instances of Confluence Server and Data Center. If it is not possible, the company recommends customers to configure a Web Application Firewall (WAF) rule, which blocks all URLs containing the ${ string. This implementation may help IT teams to reduce the risk of successful exploitation attempts.

Meanwhile, cybersecurity firm Volexity published a detailed analysis of its research findings yesterday. The investigation indicates that the vulnerability allows hackers to insert Java Server Page (JSP) webshells into a public web directory hosted on Confluence servers. The JSP web shell lets remote hackers run commands on the compromised server.

“The file was a well-known copy of the JSP variant of the China Chopper webshell,” Volexity noted.. “However, a review of the web logs showed that the file had barely been accessed. The webshell appears to have been written as a means of secondary access.”

Security researchers have published a list of IP addresses used by the threat actors to target Atlassian customers. The company has also detailed some Yara rules that should help IT admins to detect web shell activity on Confluence servers, and you can find the details in this blog post.