Exploit released for Atlassian Confluence RCE bug, update now

by | Jun 6, 2022 | News

Atlassian Confluence poc critical vulnerability

Post Views: 263

Premium Content

patreon

Subscribe to Patreon to watch this episode.

 

Reading Time: 2 Minutes

Proof-of-concept exploits for the actively exploited critical CVE-2022-26134 vulnerability impacting Atlassian Confluence and Data Center servers have been widely released this weekend.

 

 

The vulnerability tracked as CVE-2022-26134 is a critical unauthenticated, remote code execution vulnerability exploited through OGNL injection and impacts all Atlassian Confluence and Data Center 2016 servers after version 1.3.0.

Successful exploitation allows unauthenticated, remote attackers to create new admin accounts, execute commands, and ultimately take over the server.

The vulnerability was disclosed last week after Volexity discovered it was used by multiple threat actors in attacks. At the time, a patch was not available, and Atlassian advised admins to take servers offline or block them from being accessible from the Internet.

On Friday, Atlassian released security updates to fix the vulnerability just as attacks escalated in the wild.

 

 

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

 

 

 

Solutions

 

Confluence exploits publicly released

 

Friday afternoon, a proof-of-concept exploit for the Atlassian Confluence vulnerability was publicly posted. The exploit soon spread widely online over the weekend, with researchers sharing examples on Twitter of how trivial it was to exploit.

Yesterday afternoon, Andrew Morris, the CEO of cybersecurity firm GreyNoise, tweeted that they had begun to see 23 unique IP addresses exploiting the Atlassian vulnerabilities.

Today, GreyNoise reports that the number of unique IP addresses attempting to exploit this vulnerability has grown almost ten times, to 211 unique IP addresses.

 


GreyNoise chart showing increasing Confluence attacks
Source: GreyNoise
 
 

 

Confluence exploits posted online demonstrate how to create new admin accounts, force DNS requests, gather information, and generate reverse shells.

 

See Also: Hackers steal WhatsApp accounts using call forwarding trick

 

 

 

 

Patch your Confluence servers now

 

If you haven’t yet patched the security vulnerability in your Confluence or Data Center servers, you should do so immediately before threat actors compromise them.

“Released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue,” explains the Atlassian advisory.

If for some reason, you are unable to patch your servers immediately, Atlassian has provided mitigations for Confluence 7.0.0 through version 7.18.0.

 

 

See Also: Offensive Security Tool: DeepSleep

 

 

As Confluence servers are an attractive target for initial access to a corporate network, devices should be updated immediately, mitigated, or taken offline.

Not doing so will ultimately lead to more significant attacks, including ransomware deployment and data theft.

 

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

 

 

 

See Also: Kevin Poulsen, aka Dark Dante, and his hacking activities on ARPANET’s networks

 

Source: bleepingcomputer.com

Source Link

 

 

 

 

 

Merch

Share This