Atlassian orders customers to cut internet access to Confluence after critical bug discovered

A patch is not yet available

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Software company Atlassian has told Confluence users to either restrict the tool’s internet access or to cut it off entirely after it found a high-severity flaw that’s being exploited in the wild.

Thecollaboration toolhas for multiple years been carrying a bug that allows threat actors to mount unauthenticated remote code execution attacks against targetendpoints, the company confirmed.

As reported byThe Register, Atlassian first reported finding the flaw on June 2. As the patch is still in the works, and due to the fact that the bug is being actively exploited, the firm has urged customers to take alternative action.

Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at theend of this surveyto get the bookazine, worth $10.99/£10.99.

A decade of risk

At first, the company believed only the latest version 7.18 of Confluence Server was vulnerable, as there was evidence of this version being attacked. However, further investigation found that all versions (from 1.3.5 onwards) were vulnerable. Version 1.3.5 was released almost a decade ago, in 2013.

Thepatchis still under development, with the company promising it will be released by the end of the day (June 03). While that surely is good news, not all companies might make it in time to patch, given that it’s Friday.

Those who want to sleep peacefully over the weekend have a couple of options to choose from: either Restrict Confluence Server and Data Center instances’ access to the internet, or disable Confluence Server and Data Center instances entirely. Atlassian also said companies could implement a Web Application Firewall (WAF) rule to block all URLs containing ${, as that “may reduce your risk”.

Atlassian Confluence is under heavy attack>Atlassian Confluence hacked to mine Monero>Atlassian security flaws could have allowed business app account takeover with one click

The flaw, being tracked as CVE-2022-26134, was first discovered by security firm Volexity. The firm says attackers could insert a Jave Server Page webshell into a publicly accessible web directory on a Confluence server.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“The file was a well-known copy of the JSP variant of the China Chopper webshell,” Volexity wrote. “However, a review of the web logs showed that the file had barely been accessed. The webshell appears to have been written as a means of secondary access.”

Confluence’s web application process was also found to have been launching bash shells, something that “stood out”, Volexity said, as it spawned a bash process which triggered a Python process, spawning a bash shell.

“Volexity believes the attacker launched a single exploit attempt…which in turn loaded a malicious class file in memory. This allowed the attacker to effectively have a webshell they could interact with through subsequent requests. The benefit of such an attack allowed the attacker to not have to continuously re-exploit the server and to execute commands without writing a backdoor file to disk.”

ViaThe Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Windows PCs targeted by new malware hitting a vulnerable driver

Dangerous Android banking malware looks to trick victims with fake money transfers

Latest Google Pixel update includes surprise launch of Android 15’s best battery feature