Zero-day flaw in Atlassian Confluence exploited in the wild since May

Software firm Atlassian released emergency patches for its popular Confluence Server and Data Center products after reports came to light late last week that attackers were exploiting an unpatched vulnerability in the wild. According to data from Cloudflare’s web application firewall (WAF) service, the attacks started in late May.

The vulnerability, now tracked as CVE-2022-26134, is rated critical and allows unauthenticated attackers to gain remote code execution (RCE) on servers hosting the affected Confluence versions. The company urges customers to upgrade to the newly released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1, depending on which release they use.

Update July 4: Despite the warning to upgrade from Atlassian, threat actors still see  opportunity from the vulnerability according to a June 28 from Akamai. It’s researchers are seeing an average of 20,000 exploitation attempts a day after having peaked at 100,000 a day immediately after the vulnerability was reported. Akamai researchers predicted that this vulnerability will continue to be exploited “for at least the next couple of years.”

Confluence OGNL injection vulnerability

The vulnerability is described as an Object-Graph Navigation Language (OGNL) injection, OGNL being an open-source expression language for getting and setting properties of Java objects. It offers a simpler way of achieving what can be done in Java itself and it is supported in many products.

In fact, OGNL injection is a class of vulnerabilities that has impacted other popular projects in the past. For example, the large 2017 Equifax data breach was caused by an unpatched OGNL injection vulnerability — CVE-2017-5638 — in the popular Apache Struts web application framework. By exploiting such flaws, attackers can trick applications into executing arbitrary code and commands, which was also the case now with this Confluence vulnerability.

Confluence attacks found in the wild

The first report about the vulnerability came on June 2 from security firm Volexity, which discovered it while investigating a security incident at a customer that involved a compromised Confluence Server accessible from the internet. “An initial review of one of the Confluence Server systems quickly identified that a JSP file had been written into a publicly accessible web directory,” the Volexity researchers wrote in a blog post. “The file was a well-known copy of the JSP variant of the China Chopper webshell. However, a review of the web logs showed that the file had barely been accessed. The webshell appears to have been written as a means of secondary access.”

When analyzing a memory dump from the server, the researchers found evidence of the Confluence web application launching bash shells. These are command-line shells in Linux. First the Confluence process spawned a bash process, which then spawned a Python process which in turn spawned a bash shell. This was followed by deploying a publicly available memory-only implant called BEHINDER that has been used in the past on attacks against web servers. The downside of this implant is that it’s not persistent and will disappear if the server is restarted, which is why the attackers opted to write the China Chopper webshell to disk to have a secondary way of accessing and reinfecting the system.

Update July 4: The Akamai report indicates a sevenfold increase in OGNL injection attacks since the Confluence vulnerability was disclosed. Before the disclosure, Akamai’s monitoring was identifying about 790 OGNL injection attempts a day, a number it used as a baseline. That number was at roughly 20,000 a day on average at the time of the report’s release. Successful attempts have injected malware including webshells and cryptominers, primarily affecting commerce, high tech and financial services firms. The three industries make up about 75% of the attack attempts.

Mitigation and response for the Confluence vulnerability

Atlassian reacted quickly to the report and issued an advisory with a WAF rule and temporary workarounds. Customers who cannot perform full version upgrades immediately can upgrade only a few of the impacted files depending on which version they are using.

In a report on June 6, Cloudflare noted that once it added its own WAF rules for this exploit and looked back at historical log data, it saw the first attempts to exploit the vulnerability with valid payloads start on May 26. Other attempts matched the WAF detection rule, but did not have a payload and were more likely scans to test attack vectors. “Exact knowledge of how to exploit the vulnerability may have been consolidated amongst select attackers and may not have been widespread,” the company concluded.

Both the Volexity and the Cloudflare reports contain indicators of compromise. Since the attacks have been going on for two weeks, organizations should analyze their Confluence Servers for signs of intrusion through this vulnerability.