Atlassian Issues a Fix for a Zero-Day Flaw in Confluence That Was Found in the Wild Atlassian released patches on Friday to address a critical security flaw in its Confluence Server and Data Center products, which has been actively exploited by threat actors to achieve remote code execution.
The issue, tracked as CVE-2022-26134, is similar to CVE-2021-26084, another security flaw patched by the Australian software company in August 2021.
Both are related to an instance of Object-Graph Navigation Language (OGNL) injection that could be used to execute arbitrary code on a Confluence Server or Data Center instance.
The newly discovered flaw affects all supported versions of Confluence Server and Data Center, including all versions after 1.3.0. It has been fixed in the following versions:
According to Censys, there are approximately 9,325 services across 8,347 distinct hosts running a vulnerable version of Atlassian Confluence, with the majority of instances located in the United States, China, Germany, Russia, and France.
Evidence of active exploitation of the flaw, most likely by attackers of Chinese origin, was discovered during an incident response investigation in the United States over Memorial Day weekend.
“The targeted industries/verticals are quite widespread,” said Volexity’s founder and president, Steven Adair, in a series of tweets. “This is a free-for-all where exploitation appears to be coordinated.”
“It is clear that the exploit is in the hands of multiple threat groups and individual actors, who have used it in a variety of ways. Some are sloppy, while others are more stealthy.”
In addition to adding the zero-day bug to its Known Exploited Vulnerabilities Catalog, the US Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to immediately block all internet traffic to and from the affected products and either apply patches or remove the instances by June 6, 2022, 5 p.m. ET.
Have you enjoyed reading this article? To read more exclusive material from THN, follow us on Facebook. Atlassian Issues a Fix for a Zero-Day Flaw in Confluence That Was Found in the Wild