Atlassian Releases Patch for Confluence Zero-Day Flaw Exploited in the Wild


Atlassian rolled out fixes Friday to address a critical security flaw affecting its Confluence Server and Data Center products that is actively being exploited by threat actors to achieve remote code execution.

Tracked as CVE-2022-26134the issue is similar to CVE-2021-26084 – another security flaw that the Australian software company patched in August 2021.

Both relate to a case of Object-Graph Navigation Language (OGNL) injection that can be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance.

The newly discovered flaw affects all supported versions of Confluence Server and Data Center, with any version after 1.3.0 also affected. It has been fixed in the following versions –

7.4.17 7.13.7 7.14.3 7.15.2 7.16.4 7.17.4 7.18.1

According to statistics from the Internet asset discovery platform censysthere are approximately 9,325 services on 8,347 different hosts running a vulnerable version of Atlassian Confluence, with most cases located in USA, China, Germany, Russia and France.

Evidence of active exploitation of the flaw, likely by attackers of Chinese descent, came to light after cybersecurity firm Volexity discovered the flaw over Memorial Day weekend in the US during an incident response investigation.

“The target industries/branches are quite widespread,” said Steven Adair, founder and president of Volexity. said in a series of tweets. “This is a free-for-all where the exploitation seems to be coordinated.”

“Obviously, multiple threat groups and individual actors have the exploit and have used it in different ways. Some are quite shoddy and others are a bit more stealthy.”

The US Cybersecurity and Infrastructure Security Agency (CISA), moreover to add the zero-day bug to be Catalog of known exploited vulnerabilitieshas also urged federal agencies to immediately block all Internet traffic to and from the affected products and apply the patches or remove the agencies by June 6, 2022, 5:00 p.m. ET.