Alert - Active exploitation of Atlassian Confluence - update 1

Number: AL22-008
Date: 3 June 2022
Updated: 3 June 2022

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Overview

The Cyber Centre is aware of reported exploitation of a remote code execution vulnerability (CVE-2022-26134) in Confluence Server and Confluence Data Center products Footnote 1. Patches or mitigation recommendations for the vulnerability have not yet been released. Atlassian has reported that Atlassian Cloud instances are unaffected.

Details

On 02 June 2022 Atlassian released Security Advisory 2022-06-02 which outlines a recently discovered vulnerability impacting Confluence Server and Data products Footnote 1. CVE-2022-26134 is a critical vulnerability which may result in unauthenticated remote code execution. Atlassian has indicated that all supported versions are affected. The earliest version has yet to be confirmed, but it is likely that all versions are impacted.

While there has been no indication of a proof of concept, cyber security firm Veloxity, who originally reported the malicious activity, has observed malicious actors actively exploiting Confluence instances resulting in the deployment of webshells, reconnaissance and data exfiltration Footnote 2.

Update 1

Atlassian has updated affected versions to include all versions after 1.3.0. In addition, fixed versions have been released by Atlassian.

Recommended actions

The Cyber Centre encourages organizations with impacted Confluence Server and Confluence Data Center products to:

  • Update 1: Upgrade to the fixed versions indicated by Atlassian as soon as possible Footnote 1
  • If upgrading cannot be immediately performed,
    • Restrict Confluence Server and Data Center instances from the internet, or
    • Disable Confluence Server and Data Center instances.

Volexity has released indicators of compromise (IOCs) for network defenders to review for signs of exploitation. If a system has been identified as affected, it is strongly recommended that it be disconnected from any networks and to start a thorough review of associated network systems for compromise. The Cyber Center also recommends impacted organizations follow the mitigation strategies outlined in AR20-245A, a joint cybersecurity advisory which outlines Technical Approaches to Uncovering and Remediating Malicious Activity Footnote 3.

The Cyber Centre has not verified the technical details described in this disclosure and is providing this information as is for situational awareness and potential action. It is important that organizations verify the potential impact on business services and network environments before implementing any of the above recommended actions.

Should activity matching the content of this Alert be discovered, recipients are encouraged to report via the My Cyber Portal, contact the Cyber Centre by email (contact@cyber.gc.ca), or by telephone (1-833-CYBER-88 or 1-833-292-3788).

Report a problem on this page

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: