There is a critical issue with Atlassian in the form of a remote execution code, a vulnerability that is impacting the Confluence Server and Data Center. The flaw, referred to as the CVE-2022-26134, was first discovered by Australia’s Volexity.


CVE-2022-26134, the Atlassian’s Confluence Server’s zero-day vulnerability, has no permanent solution right now, even though Confluence is working on a fix for the issue that has put all Confluence Server and Data Center versions at risk.

This is not the first time Atlassian’s Confluence Server has been compromised. In Q3 of 2021, Atlassian’s Confluence shook the IT world with its CVE-2021-26084 vulnerability, an OGNL injection vulnerability that cybercriminals exploited globally.


What is a Zero-day vulnerability?

A Zero-day attack is an undiscovered flaw in the software or hardware that the developer does not know about. The threat actors or cybercriminals find out about this flaw and exploit it for their malicious purposes. At the same time, the vulnerability is still open, leaving organizations and developers in the dust before they can comprehend what happened or deploy countermeasures to take care of the flaw.


Atlassian’s Zero-Day Exploit

CVE-2022-26134 is Atlassian’s zero-day exploit that allows threat actors to remotely execute malicious code on the server to establish a BEHINDER web shell. According to Volexity’s report, the web shell has extremely powerful capabilities and includes the support of Meterpreter and Cobalt Strike.

Furthermore, the exploit is extremely dangerous with a memory-based implant that can avoid detection. Volexity outlined how the remote execution appeared similar to previous attacks. The CVE-2022-26134 seems to be a command injection vulnerability, allowing threat actors to execute commands and gain full control without the need for login credentials via web requests to the Confluence Server.

Volexity believes the initial attack was a single exploit. The exploit, in turn, allowed the threat actors to load malicious class files into the Confluence server system’s memory so they could effectively place the web shell to exploit the server via subsequent requests, eliminating the need for gaining entry into the system again.

Volexity also shared forensic details about the attack where it used the Volcano Server to extract memory regions after discovering suspicious web server processes in the form of Python and bash instances. The heap contained all data and remote commands executed by the threat actors to spawn the web server’s malicious child processes, a process that organizations can follow to check and examine their own environments.


Behinder Webshell: The Revelation of Volexity’s Heap

The heap data led Volexity to Java programming language’s strings. The heap included many Java classes and code snippets, including process spawning, dynamic method reflection, and more. These strings were not limited to Java and also had commands for spawning bash via Python’s functionalities.

Volexity summarized how Atlassian’s vulnerability included webserver injection via the Java code snippets. Further analysis revealed that the implant the threat actors were using was the BEHINDER web server. This open-source implant, Avast says, is employed by a multitude of threat actors.


What the Server Logs Revealed

Volexity checked and analyzed all web server logs and requests from the disk files and memory samples, leading them to the payload method and the time of the attack. Since even encrypted requests and responses must be stored in the memory for proper processing, Volexity used memory analysis and leveraged plaintext buffers to recover such network data and collect a deep understanding of the initial exploitation. The logs also enforced the usage of the BEHINDER implant and included “POST” type web requests with “200” status codes, an activity or path not used by Confluence’s native operations.


Details of the Advisory

Volexity highlighted that the CVE-2022-26134 vulnerability should be treated as a serious issue. It can grant threat actors access to highly sensitive networks and pose a challenge to the organizations as such attacks are difficult to investigate due to a lack of logs and monitoring in such systems.

Atlassian’s Confluence Server and Data Center shared a security advisory on 2 June 2022, highlighting the critical severity of the CVE-2022-26134 remote execution vulnerability. Atlassian’s security advisory recommends upgrading to the latest software from its download center.


How to Keep Safe from the Confluence Server vulnerability?

Atlassian recommends that you follow a few steps in case you cannot download the latest secure upgrade, especially for those who use the Confluence cluster implementations.

  1. Shut down Confluence
  2. Download the Atlassian’s xwork jar file to the Confluence Server
  3. Delete the old JAR file or move it outside the install directory.
  4. Copy the newly downloaded xwork JAR file into the directory.
  5. Check permissions and ownership of the xwork JAR file to ensure it matches the existing directory files.
  6. Restart Confluence.

You can find all the official links and downloads in the Atlassian Security Advisory. You can view the security advisory here, which reveals the fixed versions as of yet. It is constantly updated with the latest information.

The best thing you can do right now is follow the above steps to get the latest software and patches that Atlassian releases, as their security teams are working around the clock to deliver the best security and fix the discovered vulnerability.


Final Words

The Zero-day exploitation is certainly not good news for Atlassian and its products and services. This is not the first time a massive vulnerability has been discovered in the software giant. Still, with the rising cybercrimes, advanced attacks, and cybercrime as a service model, cybersecurity has become a constant battle.

Atlassian has already released a patch and updated versions to the Confluence Server and Data Center for the latest versions since the exploit had the power to affect prior versions, as back as 2013’s 1.3.5 one. You can install the updates to keep yourself safe and implement a WAF to reduce risks further.

Pin It on Pinterest

Share This