Threat actors are actively exploiting a vulnerability in on premise Confluence Servers. Here's what you need to know.
On June 2, 2022, Atlassian issued a security advisory for a critical vulnerability, CVE-2022-26134, impacting Atlassian's on premise Confluence Server and Confluence Data Center servers. Confluence is software that allows collaboration using a document and knowledge repository. The vulnerability allows an unauthenticated attacker to gain full access to the Confluence Servers. All supported versions of the products are affected however, it does not impact cloud based Confluence products.
Quick facts: what you need to know now
- Threat actors are actively scanning and exploiting vulnerable servers. In observed attacks, threat actors are deploying malicious files that allow the attacker to remotely interact with the system.
- An unauthenticated user can execute arbitrary commands on vulnerable servers which grants them full control over the unpatched system.
- All supported versions of on premise Confluence Server and Data Center servers are impacted.
- Cloud based Confluence products are not affected.
Next Steps for All Confluence Server and Data Center Customers:
- Immediately patch the vulnerable servers using patches available on the Atlassian advisory.
- Ensure EDR is deployed to all potentially impacted servers.
- If you are unable to patch, take the following mitigation steps:
- Restrict or disable Confluence Server and Data Center instances from the Internet or
- Follow mitigation guidance outlined on the Atlassian advisory.
- Investigation Steps
- Analyze web server logs for suspicious activity.
- Search for suspicious Jakarta Server Pages (JSP) files on systems by checking for any indicators of compromise (IOCs) here.
- All users should monitor updates from Atlassian.
If you have any questions, please reach out to the Risk + Response Team at firstname.lastname@example.org!