Threat players are using public exploits to use a critical zero-day remote code execution (RCE) issue that affects all versions of a popular tool used in cloud & hybrid server environments & allows for complete host take-over.
The vulnerability remains unpatched on many versions of the tool & has potential to create a SolarWinds-type situation.
Researchers from Volexity found the issue in Atlassian Confluence Server & Data Center software over the US Memorial Day weekend after they detected suspicious activity on 2 internet-facing web servers belonging to a customer running the software, they stated in a blog post published last week.
OGNL Injection Vulnerability
The researchers tracked the activity to a public exploit for the vulnerability, CVE-2022-26134, that has been spreading fast, & then reported the issue to Atlassian.
As seen by Volexity researchers, what is being described as an “OGNL injection vulnerability” appears to allow for a Java Server Page (JSP) web shell to be written into a publicly accessible web directory on Confluence software.
“The file was a well-known copy of the JSP variant of the China Chopper web shell,” researchers wrote. “However, a review of the web logs showed that the file had barely been accessed. The web shell seems to have been written as a means of secondary access.”
Atlassian released a security advisory the same day that Volexity went public with the problem, warning customers that all supported version of Confluence Server & Data Center after version 1.3.0 were affected & that no updates were available. This caused the US Department of Homeland Security’s Cybersecurity & Infrastructure Agency (CISA) to issue a warning of its own about the issue.
A day later, Atlassian released an update that fixes the following versions of the affected products: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1; it is also strongly recommending that customers update as soon as they can. If not possible, the company provided in the advisory what it outlined is a “temporary” workaround for the problem by updating a list of specific files that relate to specific versions of the product.
Meantime, the situation is moving quickly into one that security professionals warned could reach ‘epic proportions,’ with exploits surfacing daily, & 100s of unique IP addresses already using the vulnerability. Many versions of the affected products also remain unpatched, also creating a dangerous situation.
“CVE-2022-26134 is about as bad as it gets,” observed Naveen Sunkavalley, Chief Architect of security firm Horizon3.ai. Key issues are that the vulnerability is quite easy both to find & exploit, with the latter possible using a single HTTP GET request, he observed.
Arbitrary Command Execution
Also, the public exploits recently released that let attackers to use the issue to enable arbitrary command execution & take over the host against a number of Confluence versions, including the latest unpatched version, 7.18.0, according to tests that Horion3.ai has conducted, Sunkavaley commented.
Twitter was ’exploding’ over the last weekend with discussions about public exploits for the vulnerability. On Sat., Andrew Morris, the CEO of cyber-security firm GreyNoise tweeted that they had begun to see 23 unique IP addresses exploiting the Atlassian vulnerabilities.
Unique IP Addresses
On Mon., Morris tweeted again that the no. of unique IP addresses attempting to exploit the issue had increased to 400 in just a day.
Sunkavalley explained that the clearest effect of the vulnerability is that attackers can easily compromise public-facing Confluence instances to gain a ‘foothold’ into internal networks, & then go from there to create even further damage.
“Confluence instances often contain a wealth of user data & business-critical information that is valuable for attackers moving laterally within internal networks,” Sunkavalley suggested.
A New SolarWinds 2.0
In addition, the vulnerability is a source-code issue, & attacks at this level “are some of the most effective & long reaching attacks on the IT ecosystem,” observed Garret Grajek, CEO of security firm YouAttest.
The now-infamous Solarwinds supply-chain attack that started in Dec. 2020 & extended into 2021 was an example of the level of damage & size of threat that embedded malware can have, & the Confluence bug has the potential to create a similar situation, he commented.
“By attacking the source code base the hackers are able to manipulate the code to become, in fact, agents of the hacking enterprise, cryptographically registered as legitimate components on the IT system,” Grajek stated.
So, it is “imperative that enterprises review their code & most importantly the identities that have control of the source system, like Atlassian, to ensure restrictive & legitimate access to their vital code bases,” he concluded.