Attackers Use Public Exploits to Throttle Atlassian Confluence Flaw

The vulnerability remains unpatched on many versions of the collaboration tool and has potential to create a SolarWinds-type scenario.

Threat actors are using public exploits to pummel a critical zero-day remote code execution (RCE) flaw that affects all versions of a popular collaboration tool used in cloud and hybrid server environments and allows for complete host takeover.

Researchers from Volexity uncovered the flaw in Atlassian Confluence Server and Data Center software over the Memorial Day weekend after they detected suspicious activity on two internet-facing web servers belonging to a customer running the software, they said in a blog post published last week.

The researchers tracked the activity to a public exploit for the vulnerability, CVE-2022-26134, that’s been spreading rapidly, and subsequently reported the flaw to Atlassian. As observed by Volexity researchers, what’s being described as an “OGNL injection vulnerability” appears to allow for a Java Server Page (JSP) webshell to be written into a publicly accessible web directory on Confluence software.

“The file was a well-known copy of the JSP variant of the China Chopper webshell,” researchers wrote. “However, a review of the web logs showed that the file had barely been accessed. The

Read More: https://threatpost.com/public-exploits-atlassian-confluence-flaw/179887/