In light of the critical Atlassian zero-day (CVE-2022-26134) that’s just making headlines, Information Security Experts emphasis why it is better time to move to cloud but what do you think?
On Friday 3rd of June, Atlassian released a security advisory impacting all versions of Confluence Server & Data Centre editions that allows an unauthenticated adversary to perform Remote Code Execution (RCE). This means that any organisation with a public-facing Confluence instance is now at risk of total compromise by an attacker.
There are an estimated 11,500+ public-facing Confluence servers found via Shodan.io that could potentially be vulnerable and security researchers have already observed attempts to deploy the Mirai Botnet on vulnerable Confluence servers.
Recommendations:
Emergency deployment of updates to Confluence released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue.
Restrict Public-Facing Confluence instances to access only from within the internal network or corporate VPN.
Deploy additional monitoring to on-premise Confluence servers and ingest Apache Tomcat Web Request/Access logs to SIEM for proactive monitoring & retrospective confirmation of successful/unsuccessful attempts to exploit the vulnerability.
It is important to note that customers that use Atlassian Cloud are not vulnerable.
InfoSec Expert
June 7, 2022 11:58 am
CVE-2022-26134 is about as bad as it gets. The vulnerability is easy to scan for and easy to exploit using a single HTTP GET request. We’ve verified that the public exploits released over the weekend enable arbitrary command execution and host takeover against many versions of Confluence, including the latest unpatched version 7.18.0.
The obvious impact of this vulnerability is that public-facing Confluence instances can be easily exploited by attackers to gain a foothold into internal networks. However, the impact extends beyond that. Confluence instances often contain a wealth of user data and business-critical information that is valuable for attackers moving laterally within internal networks. We’ve advised our clients to patch immediately, even if their Confluence instance is not public.
InfoSec Expert
June 7, 2022 11:52 am
As more organizations implement Multifactor Authentication and effectively lock the front door, hacking organizations are launching Ransomware attacks using other methods as witnessed by the explosion in exploits for this vulnerability. Not implementing patches immediately is the equivalent of leaving the back door propped open for attackers.
InfoSec Expert
June 7, 2022 11:51 am
Source code attacks are some of the most effective and long reaching attacks on the IT ecosystem. The Solarwinds attacked showed us the level of damage and the magnitude of threat that embedded malware can have in our vital s/w components. By attacking the source code base the hackers are able to manipulate the code to become, in fact, agents of the hacking enterprise, cryptographically registered as legitimate components on the IT system. It is imperative that enterprises review their code and most importantly the identities that have control of the source system, like Atlassian, to insure restrictive and legitimate access to their vital code bases.
InfoSec Expert
June 6, 2022 11:27 am
Thankfully, this does not affect the cloud/SaaS versions of Confluence. Unfortunately, those who are running Confluence on-premises are being instructed to remove it from the internet, shut it off, or add an overly aggressive web application firewall (WAF) rule until there is a fix—being left high and dry and without the use of an important project collaboration tool that will affect their organization’s overall productivity.
The Contrast Labs Team is closely monitoring the critical unauthenticated remote code execution vulnerability discovered in all versions of Atlassian’s on-prem Confluence Server and Data Center. Atlassian products continue to be plagued with OGNL Injections and based on the instructions for WAF rules and comments about loading malicious classes, we believe this is another case of OGNL Injection leading to an RCE. This is yet another example of why enterprises need to move away from on-prem technologies as well as invest in runtime application self-protection (RASP) technologies that can prevent these exploits all before day zero, without the need to patch anything or turn it off.
It blows my mind that so many organizations do not see RASP as a critical control layer, especially when RASP solutions provide continuous, accurate, automated and scalable protection while providing application layer threat intelligence across the entire application.
On Friday 3rd of June, Atlassian released a security advisory impacting all versions of Confluence Server & Data Centre editions that allows an unauthenticated adversary to perform Remote Code Execution (RCE). This means that any organisation with a public-facing Confluence instance is now at risk of total compromise by an attacker.
There are an estimated 11,500+ public-facing Confluence servers found via Shodan.io that could potentially be vulnerable and security researchers have already observed attempts to deploy the Mirai Botnet on vulnerable Confluence servers.
Recommendations:
It is important to note that customers that use Atlassian Cloud are not vulnerable.
CVE-2022-26134 is about as bad as it gets. The vulnerability is easy to scan for and easy to exploit using a single HTTP GET request. We’ve verified that the public exploits released over the weekend enable arbitrary command execution and host takeover against many versions of Confluence, including the latest unpatched version 7.18.0.
The obvious impact of this vulnerability is that public-facing Confluence instances can be easily exploited by attackers to gain a foothold into internal networks. However, the impact extends beyond that. Confluence instances often contain a wealth of user data and business-critical information that is valuable for attackers moving laterally within internal networks. We’ve advised our clients to patch immediately, even if their Confluence instance is not public.
As more organizations implement Multifactor Authentication and effectively lock the front door, hacking organizations are launching Ransomware attacks using other methods as witnessed by the explosion in exploits for this vulnerability. Not implementing patches immediately is the equivalent of leaving the back door propped open for attackers.
Source code attacks are some of the most effective and long reaching attacks on the IT ecosystem. The Solarwinds attacked showed us the level of damage and the magnitude of threat that embedded malware can have in our vital s/w components. By attacking the source code base the hackers are able to manipulate the code to become, in fact, agents of the hacking enterprise, cryptographically registered as legitimate components on the IT system. It is imperative that enterprises review their code and most importantly the identities that have control of the source system, like Atlassian, to insure restrictive and legitimate access to their vital code bases.
Thankfully, this does not affect the cloud/SaaS versions of Confluence. Unfortunately, those who are running Confluence on-premises are being instructed to remove it from the internet, shut it off, or add an overly aggressive web application firewall (WAF) rule until there is a fix—being left high and dry and without the use of an important project collaboration tool that will affect their organization’s overall productivity.
The Contrast Labs Team is closely monitoring the critical unauthenticated remote code execution vulnerability discovered in all versions of Atlassian’s on-prem Confluence Server and Data Center. Atlassian products continue to be plagued with OGNL Injections and based on the instructions for WAF rules and comments about loading malicious classes, we believe this is another case of OGNL Injection leading to an RCE. This is yet another example of why enterprises need to move away from on-prem technologies as well as invest in runtime application self-protection (RASP) technologies that can prevent these exploits all before day zero, without the need to patch anything or turn it off.
It blows my mind that so many organizations do not see RASP as a critical control layer, especially when RASP solutions provide continuous, accurate, automated and scalable protection while providing application layer threat intelligence across the entire application.