Atlassian has issued emergency patches for the vulnerability, which could allow attackers to perform remote code execution. Credit: Gwengoat / Getty Images Software firm Atlassian released emergency patches for its popular Confluence Server and Data Center products after reports came to light late last week that attackers were exploiting an unpatched vulnerability in the wild. According to data from Cloudflare’s web application firewall (WAF) service, the attacks started in late May.The vulnerability, now tracked as CVE-2022-26134, is rated critical and allows unauthenticated attackers to gain remote code execution (RCE) on servers hosting the affected Confluence versions. The company urges customers to upgrade to the newly released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1, depending on which release they use.Update July 4: Despite the warning to upgrade from Atlassian, threat actors still see opportunity from the vulnerability according to a June 28 from Akamai. It’s researchers are seeing an average of 20,000 exploitation attempts a day after having peaked at 100,000 a day immediately after the vulnerability was reported. Akamai researchers predicted that this vulnerability will continue to be exploited “for at least the next couple of years.”Confluence OGNL injection vulnerabilityThe vulnerability is described as an Object-Graph Navigation Language (OGNL) injection, OGNL being an open-source expression language for getting and setting properties of Java objects. It offers a simpler way of achieving what can be done in Java itself and it is supported in many products. In fact, OGNL injection is a class of vulnerabilities that has impacted other popular projects in the past. For example, the large 2017 Equifax data breach was caused by an unpatched OGNL injection vulnerability — CVE-2017-5638 — in the popular Apache Struts web application framework. By exploiting such flaws, attackers can trick applications into executing arbitrary code and commands, which was also the case now with this Confluence vulnerability.Confluence attacks found in the wildThe first report about the vulnerability came on June 2 from security firm Volexity, which discovered it while investigating a security incident at a customer that involved a compromised Confluence Server accessible from the internet. “An initial review of one of the Confluence Server systems quickly identified that a JSP file had been written into a publicly accessible web directory,” the Volexity researchers wrote in a blog post. “The file was a well-known copy of the JSP variant of the China Chopper webshell. However, a review of the web logs showed that the file had barely been accessed. The webshell appears to have been written as a means of secondary access.” When analyzing a memory dump from the server, the researchers found evidence of the Confluence web application launching bash shells. These are command-line shells in Linux. First the Confluence process spawned a bash process, which then spawned a Python process which in turn spawned a bash shell. This was followed by deploying a publicly available memory-only implant called BEHINDER that has been used in the past on attacks against web servers. The downside of this implant is that it’s not persistent and will disappear if the server is restarted, which is why the attackers opted to write the China Chopper webshell to disk to have a secondary way of accessing and reinfecting the system.Update July 4: The Akamai report indicates a sevenfold increase in OGNL injection attacks since the Confluence vulnerability was disclosed. Before the disclosure, Akamai’s monitoring was identifying about 790 OGNL injection attempts a day, a number it used as a baseline. That number was at roughly 20,000 a day on average at the time of the report’s release. Successful attempts have injected malware including webshells and cryptominers, primarily affecting commerce, high tech and financial services firms. The three industries make up about 75% of the attack attempts.Mitigation and response for the Confluence vulnerabilityAtlassian reacted quickly to the report and issued an advisory with a WAF rule and temporary workarounds. Customers who cannot perform full version upgrades immediately can upgrade only a few of the impacted files depending on which version they are using.In a report on June 6, Cloudflare noted that once it added its own WAF rules for this exploit and looked back at historical log data, it saw the first attempts to exploit the vulnerability with valid payloads start on May 26. Other attempts matched the WAF detection rule, but did not have a payload and were more likely scans to test attack vectors. “Exact knowledge of how to exploit the vulnerability may have been consolidated amongst select attackers and may not have been widespread,” the company concluded.Both the Volexity and the Cloudflare reports contain indicators of compromise. Since the attacks have been going on for two weeks, organizations should analyze their Confluence Servers for signs of intrusion through this vulnerability. Related content news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Regulation Regulation news UK data regulator warns that data breaches put abuse victims’ lives at risk The UK Information Commissioner’s Office has reprimanded seven organizations in the past 14 months for data breaches affecting victims of domestic abuse. By Michael Hill Sep 28, 2023 3 mins Electronic Health Records Data Breach Government news EchoMark releases watermarking solution to secure private communications, detect insider threats Enterprise-grade software embeds AI-driven, forensic watermarking in emails and documents to pinpoint potential insider risks By Michael Hill Sep 28, 2023 4 mins Communications Security Threat and Vulnerability Management Security Software news SpecterOps to use in-house approximation to test for global attack variations The new offering uses atomic tests and in-house approximation in purple team assessment to test all known techniques of an attack. By Shweta Sharma Sep 28, 2023 3 mins Penetration Testing Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe