Skip to the content.

DIVD-2022-00033 - Atlassian Confluence 0-day unauthenticated RCE

Our reference DIVD-2022-00033
Case lead Frank Breedijk
Researcher(s)
CVE(s)
Products
  • Atlassian Confluence Server
  • Atlassian Confluence Data Center
  • Other versions of Atlassian Confluence are not yet tested and are potentially vulnerable too
Versions
  • >= 7.4.0
  • Older versions are potentially vulnerable too.
Recommendation Patches are available.
Patch status Patch available
Workaround If access cannot be blocked or Confluence taken offline a WAF that blocks requests containing `${` may provide additional protection
Status Closed
Last modified 01 Dec 2022 08:49

Summary

On 2 June 2022, Volexity published a report about an exploitation of Confluence. Volexity has been in contact with Atlassian who released a formal advisory.

What we know so far:

Atlassian has released a patch, see their security advisory for details. Patched versions are:

What you can do

Apply the patch released by Atlassian.

If patching is not an option, you can follow the advice underneath to mitigate risks.

If you are using Confluence Server or Data Center it is recommended that you either:

If that is unfeasible, a WAF that blocks requests containing ${ may provide additional protection, but there is still a severe risk.

What we are doing

We started scanning before the exploit was publicly available, by matching the version numbers of the identified instances. We are currently working to identify unpatched Confluence instances that are accessible from the internet and warn owners.

as of June 16, we started scanning with a non-intrusive command execution.

We will be sharing the Dutch part of the data with the Dutch Digital Trust Center who will inform affected Dutch companies

Timeline

Date Description
02 Jun 2022 Volexity publishes about 0-day vulnerability in Confluence
03 Jun 2022 Official Atlassion advisory published
03 Jun 2022 First version of this case file
03 Jun 2022 Patches announced
03 Jun 2022 Patches available
03 Jun 2022 Proof of Concept for exploitation is shared publicy online
04 Jun 2022 Notifications being sent to about 15k vulnerable instances
06 Jun 2022 Data concerning the Netherlands shared with the Digital Trust Center and the Dutch Security Clearing House (Security Meldpunt)
06 Jun 2022 Approximately 1150 additional vulnerable instances identified and vulnerable owners were sent notifications
07 Jun 2022 Approximately 800+ additional vulnerable instances identified and vulnerable owners were sent notifications
08 Jun 2022 All other data concerning the Netherlands shared with the Digital Trust Center and the Dutch Security Clearing House (Security Meldpunt)
16 Jun 2022 Rescanning with a non-intrusive command execution for visibility on the decreasing number of vulnerable instances
05 Nov 2022 Rescan and notify (again with a non-intrusive command execution) for visibility on the decreasing number of vulnerable instances.
01 Dec 2022 Case closed
gantt title DIVD-2022-00033 - Atlassian Confluence 0-day unauthenticated RCE dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00033 - Atlassian Confluence 0-day unauthenticated RCE (181 days) :2022-06-03, 2022-12-01 section Events Volexity publishes about 0-day vulnerability in Confluence : milestone, 2022-06-02, 0d Official Atlassion advisory published : milestone, 2022-06-03, 0d First version of this case file : milestone, 2022-06-03, 0d Patches announced : milestone, 2022-06-03, 0d Patches available : milestone, 2022-06-03, 0d Proof of Concept for exploitation is shared publicy online : milestone, 2022-06-03, 0d Notifications being sent to about 15k vulnerable instances : milestone, 2022-06-04, 0d Data concerning the Netherlands shared with the Digital Trust Center and the Dutch Security Clearing House (Security Meldpunt) : milestone, 2022-06-06, 0d Approximately 1150 additional vulnerable instances identified and vulnerable owners were sent notifications : milestone, 2022-06-06, 0d Approximately 800+ additional vulnerable instances identified and vulnerable owners were sent notifications : milestone, 2022-06-07, 0d All other data concerning the Netherlands shared with the Digital Trust Center and the Dutch Security Clearing House (Security Meldpunt) : milestone, 2022-06-08, 0d Rescanning with a non-intrusive command execution for visibility on the decreasing number of vulnerable instances : milestone, 2022-06-16, 0d Rescan and notify (again with a non-intrusive command execution) for visibility on the decreasing number of vulnerable instances. : milestone, 2022-11-05, 0d Case closed : milestone, 2022-12-01, 0d

More information