INVESTIGATING: Zero-Day in Atlassian Confluence Exploited in the Wild (CVE-2022-26134)

The Security Response Team (SRT) is aware of a newly disclosed zero-day vulnerability in Atlassian Confluence. Tenable Product coverage is being investigated and we will publish a follow-up with more information.

What happened?

On June 2, Atlassian published an advisory for CVE-2022-26134, a zero-day remote code execution vulnerability in Confluence Server and Data Center.

How severe is this vulnerability?

It was given a critical rating by Atlassian. Based on Atlassian’s severity level ratings, this puts this vulnerability between a CVSSv3 of 9.0 to 10.0. 

How can an attacker exploit this vulnerability?

While exploitation details have not been made public, based on historical vulnerabilities of a similar nature, an attacker could exploit this flaw by sending a specially crafted request to a vulnerable Confluence Server or Data Center instance that is publicly accessible over the internet. 

Has this vulnerability been exploited?

Yes, according to its advisory, Atlassian says that there is known exploitation of this vulnerability against Confluence Server version 7.18.0.

Is 7.18.0 the only affected version?

No, Atlassian says that additional testing confirmed Confluence Server and Data Center versions >= 7.4.0 are “potentially vulnerable.”

Is a patch available?

No, a patch for this vulnerability is not available at the time.

What can we do to protect against this vulnerability?

Organizations that use Confluence Server and Data Center may consider the following options to mitigate against this threat:

• Restrict Confluence Server and Data Center instances from the internet (e.g. behind a VPN)
• Disabling Confluence Server and Data Center instances

Who disclosed this vulnerability?

It has been credited to Volexity, which published a blog post about the vulnerability earlier today.

When was it discovered?

According to Volexity, they discovered exploitation of this vulnerability over the Memorial Day weekend during an incident response investigation.

Are there any indicators of compromise available?

Yes, Volexity shared a number of network indicators and indicators of compromise (IoCs) including hunting rules to help defenders identify possible exploitation.

Do we know who is exploiting this flaw?

Volexity believes this vulnerability is being exploited by “multiple threat actors” that are likely based out of China.

Is there a proof-of-concept (PoC) available for this vulnerability?

At the time this post was published, no PoC exploit code was available for this vulnerability.

Does Tenable have any product coverage for this vulnerability?

While there is currently no patch available for this vulnerability, Tenable is investigating product coverage and will provide an update once we have more information to share.