New Zero-day RCE Vulnerability Uncovered in Atlassian Confluence

Researchers from the cyber security firm, Volexity have discovered an unauthenticated Remote Code Execution bug that impacts fully up-to-date versions of Confluence Server. 

The flaw which is now tracked as CVE-2022-26134 has been reported to the Atlassian security team and acknowledged by them on May 31. Volexity describes this as a Zero-day bug and the flaw affected current versions of Confluence Server and Data Center. Volexity said they are not planning to release the proof-of-concept (POC) code for the exploit, as there is no official patch or workaround yet available from Atlassian, however, Atlassian has released the following advisory.

Vulnerability Details and Analysis

Volexity team found the flaw last weekend when they found suspicious activity on servers running Atlassian Confluence Server software. The team conducted the investigation after discovering JSP webshells on the server disk, which was a copy of the JSP variant of the China Chopper webshell. Later they were able to determine the server compromise stemmed from an attacker launching an exploit to achieve remote code execution. 

In the investigation of the vulnerability, Volexity identifies bash shells being launched by the Confluence web application process. This stood out because it had spawned a bash process which spawned a Python process that in turn spawned a bash shell. 

Volexity noted that CVE-2022-26134 appears to be another command injection vulnerability and his type of vulnerability is severe and needs significant attention.

"Volexity believes the attacker launched a single exploit attempt at each of the Confluence Server systems, which in turn loaded a malicious class file in memory. This allowed the attacker to effectively have a webshell they could interact with through subsequent requests. The benefit of such an attack allowed the attacker to not have to continuously re-exploit the server and to execute commands without writing a backdoor file to disk." - they further added.

Affected Versions

As this is the zero-day vulnerability impacting fully up-to-date current versions of Confluence Server. Volexity has not been able to fully enumerate all affected versions but was able to verify it works on all LTS versions and other current versions such as 7.17.3. It is likely that all current versions of the product are impacted. Atlassian advisory states subsequent testing indicates that versions of Confluence Server and Data Center >= 7.4.0 are potentially vulnerable.

Atlassian confirmed that all Confluence Server and Data Center supported versions are affected.

With the successful exploitation of the vulnerability, the attacker immediately deployed an in-memory copy of the BEHINDER implant. BEHINDER provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike. As previously noted, this method of deployment has significant advantages by not writing files to disk. At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out. 

Once BEHINDER was deployed, the attacker used the in-memory webshell to deploy two additional webshells to disk.

What to do Now?

There are currently no fixed versions of Confluence Server and Data Center available. In the interim, customers should work with their security team to consider the best course of action. 

Workarounds from Atlassian

Options to consider include:

• Restricting access to Confluence Server and Data Center instances from the internet.
• Disabling Confluence Server and Data Center instances.

If you are unable to take the above actions implementing a WAF (Web Application Firewall) rule which blocks URLs containing ${ may reduce your risk.

Apart from this, Volexity recommends the following:

• In lieu of a patch, consider blocking external access to Internet-facing Confluence Server and Data Center systems.
• Ensure Internet-facing web services have robust monitoring capabilities and log retention policies to assist in the event of an incident.
• Send relevant log files from Internet-facing web servers to a SIEM or Syslog server.
• Monitor child processes of web application processes for suspicious processes (in this case, the Python shell is a good example of this).
• If possible, implement IP address access control lists (ACLs) in order to restrict access to Internet-facing systems.

At the time of writing the story, we have not found any POC available publicly. This vulnerability is already exploited by the malicious actors, we recommend following the above workarounds and keep monitoring your server running Confluence software.

PoC Exploit released

A blog post from the Rapid7 team, which details the root cause of the bug, states that it was an OGNL injection vulnerability affecting Atlassian Confluence Server and Data Center versions <= 7.13.6 LTS and <= 7.18.0 "Latest". 

You can read the Rapid7 post for more details on the bug and also a proof-of-concept with the title "Through the Wire" has already been released on GitHub.