Zero-day flaw in Atlassian Confluence exploited in the wild since May

Software firm Atlassian has released emergency patches for its popular Confluence Server and Data Centre products after reports came to light late last week that attackers were exploiting an unpatched vulnerability in the wild.

According to data from Cloudflare's web application firewall (WAF) service, the attacks started almost two weeks ago.

The vulnerability, now tracked as CVE-2022-26134, is rated critical and allows unauthenticated attackers to gain remote code execution (RCE) on servers hosting the affected Confluence versions. The vendor urges customers to upgrade to the newly released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1, depending on which release they use.

Confluence OGNL injection vulnerability

The vulnerability is described as an Object-Graph Navigation Language (OGNL) injection, OGNL being an open source expression language for getting and setting properties of Java objects. It offers a simpler way of achieving what can be done in Java itself and it is supported in many products.

In fact, OGNL injection is a class of vulnerabilities that has impacted other popular projects in the past. For example, the large 2017 Equifax data breach was caused by an unpatched OGNL injection vulnerability -- CVE-2017-5638 -- in the popular Apache Struts web application framework. 

By exploiting such flaws, attackers can trick applications into executing arbitrary code and commands, which was also the case now with this Confluence vulnerability.

Confluence attacks found in the wild

The first report about the vulnerability came on June 2 from security firm Volexity, which discovered it while investigating a security incident at a customer that involved a compromised Confluence Server accessible from the internet. 

"An initial review of one of the Confluence Server systems quickly identified that a JSP file had been written into a publicly accessible web directory," the Volexity researchers wrote in a blog post. 

"The file was a well-known copy of the JSP variant of the China Chopper webshell. However, a review of the web logs showed that the file had barely been accessed. The webshell appears to have been written as a means of secondary access."

When analysing a memory dump from the server, the researchers found evidence of the Confluence web application launching bash shells. These are command-line shells in Linux. First the Confluence process spawned a bash process, which then spawned a Python process which in turn spawned a bash shell. 

This was followed by deploying a publicly available memory-only implant called BEHINDER that has been used in the past on attacks against web servers. The downside of this implant is that it's not persistent and will disappear if the server is restarted, which is why the attackers opted to write the China Chopper webshell to disk to have a secondary way of accessing and reinfecting the system.

Mitigation and response for the Confluence vulnerability

Atlassian reacted quickly to the report and issued an advisory with a WAF rule and temporary workarounds. Customers who cannot perform full version upgrades immediately can upgrade only a few of the impacted files depending on which version they are using.

In a report on June 6, Cloudflare noted that once it added its own WAF rules for this exploit and looked back at historical log data, it saw the first attempts to exploit the vulnerability with valid payloads start on May 26. 

Other attempts matched the WAF detection rule, but did not have a payload and were more likely scans to test attack vectors. "Exact knowledge of how to exploit the vulnerability may have been consolidated amongst select attackers and may not have been widespread," the company concluded.

Both the Volexity and the Cloudflare reports contain indicators of compromise. Since the attacks have been going on for two weeks, organisations should analyse their Confluence Servers for signs of intrusion through this vulnerability.