DIVD-2022-00033 - Atlassian Confluence 0-day unauthenticated RCE
| Our reference | DIVD-2022-00033 |
| Case lead | Frank Breedijk |
| Researcher(s) |
|
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Patches are available. |
| Patch status | Patch available |
| Workaround | If access cannot be blocked or Confluence taken offline a WAF that blocks requests containing `${` may provide additional protection |
| Status | Closed |
| Last modified | 01 Dec 2022 08:49 CET |
Summary
On 2 June 2022, Volexity published a report about an exploitation of Confluence. Volexity has been in contact with Atlassian who released a formal advisory.
What we know so far:
- Affected products are Confluence Server and Confluence Datacenter (both on-premise products)
- All versions released after 1.3.5 have been confirmed to be vulnerable too
- The vulnerability is an unauthenticated Remote Code Execution
- The proof of concept for exploitation is publicly available
- Patches are available
Atlassian has released a patch, see their security advisory for details. Patched versions are:
- 7.4.17
- 7.13.7
- 7.14.3
- 7.15.2
- 7.16.4
- 7.17.4
- 7.18.1
What you can do
Apply the patch released by Atlassian.
If patching is not an option, you can follow the advice underneath to mitigate risks.
If you are using Confluence Server or Data Center it is recommended that you either:
- Severely restrict access, or
- Disable the service
If that is unfeasible, a WAF that blocks requests containing ${ may provide additional protection, but there is still a severe risk.
What we are doing
We started scanning before the exploit was publicly available, by matching the version numbers of the identified instances. We are currently working to identify unpatched Confluence instances that are accessible from the internet and warn owners.
as of June 16, we started scanning with a non-intrusive command execution.
We will be sharing the Dutch part of the data with the Dutch Digital Trust Center who will inform affected Dutch companies
Timeline
| Date | Description |
|---|---|
| 02 Jun 2022 | Volexity publishes about 0-day vulnerability in Confluence |
| 03 Jun 2022 | Official Atlassion advisory published |
| 03 Jun 2022 | First version of this case file |
| 03 Jun 2022 | Patches announced |
| 03 Jun 2022 | Patches available |
| 03 Jun 2022 | Proof of Concept for exploitation is shared publicy online |
| 04 Jun 2022 | Notifications being sent to about 15k vulnerable instances |
| 06 Jun 2022 | Data concerning the Netherlands shared with the Digital Trust Center and the Dutch Security Clearing House (Security Meldpunt) |
| 06 Jun 2022 | Approximately 1150 additional vulnerable instances identified and vulnerable owners were sent notifications |
| 07 Jun 2022 | Approximately 800+ additional vulnerable instances identified and vulnerable owners were sent notifications |
| 08 Jun 2022 | All other data concerning the Netherlands shared with the Digital Trust Center and the Dutch Security Clearing House (Security Meldpunt) |
| 16 Jun 2022 | Rescanning with a non-intrusive command execution for visibility on the decreasing number of vulnerable instances |
| 05 Nov 2022 | Rescan and notify (again with a non-intrusive command execution) for visibility on the decreasing number of vulnerable instances. |
| 01 Dec 2022 | Case closed |