NetWitness Community

Introduction

Volexity, industry-leading incident response and forensics firm based out of Reston, Virginia, U.S.A.,  identified a new zero-day (0-day) vulnerability in Atlassian’s Confluence Server software during an engagement over the Memorial Day holiday weekend. Their investigation found that an attacker had been able to successfully launch an exploit against the previously undocumented 0-day resulting in remote code execution (RCE) within the victim environment. The Volexity team was able to recreate a Proof of Concept (PoC) successfully along with a report that described the 0-day vulnerability in detail which included an up-to-date list of affected versions of Atlassian’s Confluence Server and Data Center software. Volexity dutifully contacted the vendor on May 31, 2022, provided their PoC and report and were the first party to receive confirmation of the 0-day[i] by Atlassian, which has since been designated as CVE-2022-26134 by MITRE. For more information see Volexity’s blog[ii] and the respective MITRE entry for CVE-2022-26134[iii].

Affected Versions of Atlassian Server and Data Center Software

The following versions of Atlassian Server and Data Center Software[iv] have been proven to be affected by the CVE-2022-26134 and are deemed vulnerable to exploitation at the time of this writing. Atlassian has confirmed that it intends to release security fixes (patches) to its customer base that should be downloadable before the close of business (3pm EDT), today June 3, 2022. For more information on this please refer to the Atlassian Confluence Security Advisory 2022-06-02[v] which addresses their response and disclosure to CVE-2022-26134.

What You Need To Know and Do

Per the guidance provided by Atlassian[vi], here are the following recommendations that subscribing users may take advantage of at this time:

There are currently no fixed versions of Confluence Server and Data Center available. In the interim, customers should work with their security team to consider the best course of action. Options to consider include:

• Restricting access to Confluence Server and Data Center instances from the internet.

• Disabling Confluence Server and Data Center instances.

If you are unable to take the above actions implementing a WAF (Web Application Firewall) rule which blocks URLs containing ${ may reduce your risk.

How is NetWitness Responding to This 0-day vulnerability?

We currently have threat research and intelligence personnel engaged in work related to CVE-2022-26134. These researchers are vetting the information that we have in-hand from Volexity, Atlassian and our own research and moving forward with internal Proof of Concept (PoC) which will ultimately result in new threat research intelligence content (machine readable threat intelligence) and a more detailed blog related to that body of work and the practical application of our content within our product portfolio.

If you have any questions, please contact NetWitness Customer Support & Success or your account teams for more information. We also recommend that you subscribe to this channel to ensure that you are receiving the most up to date information possible.

[i] https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

[ii] https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/

[iii] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134

[iv] https://confluence.atlassian.com/doc/confluence-release-notes-327.html

[v] https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

[vi] https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html