Skip links

Atlassian: Unpatched critical flaw under attack right now to hijack Confluence – and it’s been there since 2013

Updated Atlassian has warned users of its Confluence collaboration tool that they should either restrict internet access to the software, or disable it, in light of a critical-rated unauthenticated remote-code-execution flaw in the product that is actively under attack.

An advisory dated June 2, 1300 PT (2000 UTC), does not describe the nature of the flaw, and reveals “current active exploitation” has been detected. No patch is available.

The flaw is present in version 7.18 of Confluence Server, which is under attack, as well as potentially versions 7.4 and higher of Confluence Server and Confluence Data Center. Version 7.4 is a long-term support edition.

“There are currently no fixed versions of Confluence Server and Data Center available,” the advisory states. “Atlassian is working with the highest priority to issue a fix.”

Atlassian suggests that while customers wait for the fix to land, they “should work with their security team to consider the best course of action.” The Australian software house’s “options to consider” are:

  • Restricting Confluence Server and Data Center instances from the internet.
  • Disabling Confluence Server and Data Center instances.

The first option is probably easier for most users to implement, though could cause significant disruption for remote workers unless there’s some kind of VPN solution in place. The second will definitely cause significant internal disruption.

No timeframe has been offered for delivery of a fix nor has Atlassian offered any hint about the complexity of work required to address the issue.

While any critical-rated flaw that’s under attack is very bad news, many Atlassian users may have dodged the bullet because version 7.18 of Confluence Server was announced on May 30 and is therefore unlikely to be widely deployed. Indeed, few may have been planning to adopt the new code, as version 7.19 is designated as a Long Term Support release.

Users of Confluence 7.4 have more to worry about, as that version was released in April 2020, and it is “potentially vulnerable,” according to Atlassian.

News of the flaw, tracked as CVE-2022-26134, comes after Atlassian’s cloud services experienced a two-week outage in April 2022. ®

Updated 02:05 UTC, June 3 The US Cybersecurity and Infrastructure Security Agency has issued an advisory in which it “urges organizations with affected Atlassian’s Confluence Server and Data Center products to block all internet traffic to and from those devices until an update is available and successfully applied.”

Security company Volexity, which reported the flaw to Atlassian, has published an analysis of the situation that suggests attackers are able to insert a Java Server Page (JSP) webshell into a publicly accessible web directory on Confluence servers.

“The file was a well-known copy of the JSP variant of the China Chopper webshell,” Volexity wrote. “However, a review of the web logs showed that the file had barely been accessed. The webshell appears to have been written as a means of secondary access.”

The security company also found the Confluence web application process launching bash shells. “This stood out because it had spawned a bash process which spawned a Python process that in turn spawned a bash shell,” the company’s post states.

“Volexity believes the attacker launched a single exploit attempt … which in turn loaded a malicious class file in memory. This allowed the attacker to effectively have a webshell they could interact with through subsequent requests. The benefit of such an attack allowed the attacker to not have to continuously re-exploit the server and to execute commands without writing a backdoor file to disk.”

Updated 07:30 UTC, June 3 Atlassian has good news and bad news about this bug.

The bad news is it’s been found to impact Confluence all the way back to version 1.3.5, which was released in the year 2013.

The good is the company has promised a patch by the end of June 3rd, Pacific Time.

Maybe that’s bad news, as that timing means the patch will arrive on the weekend for most of the world.

In the meantime, Atlassian advises implementing a WAF (Web Application Firewall) rule which blocks URLs containing ${ “may reduce your risk.”