Elaine Jean Tech 06.06.2022 01:Jun AM EDT

Atlassian Confluence CVE-2022-26134 Vulnerability Proof-of-Concept Exploits Released: Is There a Patch?

Atlassian Confluence was attacked through a series of proof-of-concept exploits of the CVE-2022-26134 vulnerability.

Last week, the Australian-grown software company Altassian was detected to have a zero-day vulnerability tracked as CVE-2022-26134. The Atlassian products that are affected are the Confluence Server and Data Center, both of which are susceptible to an unauthenticated remote code execution vulnerability of critical severity.

Atlassian Confluence, CVE-2022-26134 Vulnerability

Confluence is a software collaborative documentation tool created by the company Atlassian.

The CVE-2022-26134 vulnerability was discovered by the cybersecurity company Volexity, which alerted Atlassian on May 31. Following the discovery by Volexity that the vulnerability had been used by various threat actors in assaults, malicious actors became aware of it.

Because there was no patch available at the time, Atlassian advised administrators to either take their servers offline or prevent them from being accessible via the internet.

If the vulnerability is exploited, it will allow unauthenticated, remote attackers to create new admin accounts, run commands, and eventually seize control of the system.

A proof-of-concept exploit for the Atlassian Confluence vulnerability was made publicly available on Friday of the previous week. The exploit quickly went viral online over the course of the weekend, with researchers posting examples of how easy it was to exploit on social media platforms like Twitter.

Exploits for Confluence that have been published online show how to construct reverse shells, make forced DNS requests, acquire information, and create new admin accounts.

Bleeping Computer reported that Andrew Morris, the chief executive officer of the cybersecurity company GreyNoise, tweeted on June 4, that the company had started to observe 23 different IP addresses exploiting the Atlassian vulnerabilities.

Furthermore, GreyNoise says that the total number of distinct IP addresses that are attempting to exploit this vulnerability has nearly multiplied by 10, reaching 211 different IP addresses in total as of June 5.

According to Atlassian, the vulnerability was confirmed in Confluence Server 7.18.0, and the company believes that Confluence Server and Data Center 7.4.0 and higher are also susceptible to the issue.

However, it is worth noting that organizations that are protected by Atlassian Cloud, which can be accessed through the atlassian.net website, are not vulnerable to this flaw.

Patch for CVE-2022-26134

Atlassian has already released a patch and the company highly recommends its user-base update the security vulnerability to avoid exploits and breaches in their systems from malicious threat actors.

According to Confluence, the recently released patch will fix all the vulnerabilities found in their products, which the company noted are for versions "7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1" that contain all the fixes.

The company recommends its users upgrade to the latest Long Term Support release. Users can download the latest version of the patch from the Atlassian download center, and a description of the latest version is available in the Confluence Server and Data Center Release Notes.

Atlassian has made mitigations available for Confluence versions 7.0.0 all the way up to 7.18.0 in the event that you are unable to promptly fix your servers due to some unforeseen circumstance.

Confluence servers are an appealing target for initial access to a company's network; therefore, devices should be upgraded soon, mitigating risks as much as possible, or taken offline entirely.

Again, users who will not take this precaution will eventually face more serious threats, such as the distribution of ransomware and the loss of data as they can be subjecting themselves to the wild for numerous exploits.