Staff Writer
Fast-moving malicious actors are exploiting a security flaw in Atlassian’s Confluence Server software. The cyberattacks come a week after Atlassian first issued a security advisory to users of its Confluence Server and Confluence Data Center products.
On August 25, Atlassian disclosed a critical severity security vulnerability. At risk are Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
Confluence is a web-based corporate wiki. Over 60,000 customers worldwide use Confluence software, but it is not known how many are using the at-risk versions. Many Australian Government agencies, organisations, and businesses use Confluence as a team workspace and centralised collaboration repository. Atlassian notes the vulnerability does not affect Confluence Cloud customers.
Atlassian says an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances, an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The problem stems from an injection bug in the open-source Object-Graph Navigation Language.
In a high status alert, the Australian Cyber Security Centre (ACSC) advises that executing arbitrary code could allow a remote malicious cyber actor to fully control a vulnerable server.
“This vulnerability is not dissimilar to the recent Microsoft Exchange vulnerability which the ACSC provided guidance on, where cybercriminals were exploiting Microsoft Exchange vulnerabilities to deploy ransomware in overseas organisations,” says Stephen Kho, Cyber Security Expert at Avast.
The ACSC says it is aware of scanning and attempted exploitation of the vulnerability. In a tweet posted on Thursday, September 2, cyber intelligence consultancy Bad Packets confirms they have detected mass scanning and exploit activity from hosts in Russia, Hong Kong, Brazil, Nepal, Romania, and the United States targeting Atlassian Confluence servers vulnerable to remote code execution.
“Remote code execution is one of the most critical vulnerabilities that can be found in an application,” says Kho. Remote code execution is caused by attackers creating malicious code and injecting it into the server via input points.
“Successful exploitation of a company’s Confluence server may allow an attacker to gain not only unauthorised access to potentially sensitive company information but also allow the deployment of ransomware across the entire company’s systems.
“An exploit code has become available, and cyber actors are scanning the Internet for vulnerable Confluence server interfaces like login web pages, to exploit using this released exploit code.”
The ACSC says organisations and businesses who self-host Atlassian Confluence should identify any internet-facing instances of Confluence as a priority. Atlassian has released versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0, which contain a fix for this issue.
“As per the ACSC and Atlassian’s advice, vulnerable Confluence servers should be patched with the latest available update,” adds Kho.
If users cannot upgrade right away, Atlassian also has a script available for Confluence operating systems as a temporary workaround.
