FortiGuard Labs is aware of a new vulnerability in Confluence Server and Data Center (CVE-2022-26134) which was reportedly exploited as a zero-day in the wild. Rated critical, successful exploitation of the vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the compromised server. The vulnerability affects all supported versions of unpatched Confluence Server and Data Center.Why is this Significant?This is significant because Confluence Server and Data Center (CVE-2022-26134) was reportedly exploited as a 0-day in the wild. The vulnerability is an OGNL injection vulnerability that allows an unauthenticated remote attacker to execute arbitrary code on the compromised server.Confluence is a widely-used team workspace and collaboration tool developed by Atlassian. It is used to help teams collaborate and share knowledge via a content management system and is used by many large scale enterprise and organizations worldwide. This vulnerability does not have a CVSS score at the moment, but the ease of exploitation via an unauthenticated session and combined with remote code execution is a cause for concern.What versions of Confluence Server and Data Center are Affected by CVE-2022-26134?The advisory released by Atlassian states that the following versions are affected:All supported versions of Confluence Server and Data CenterConfluence Server and Data Center versions after 1.3.0What Malware was Deployed to the Compromised Server?It was reported that China Chopper has been deployed on to compromised servers. China Chopper is a tiny webshell that provides a remote attacker backdoor access to a compromised system.Has the Vendor Released an Advisory for CVE-2022-26134?Yes. See the Appendix for a link to “Confluence Security Advisory 2022-06-02”.Has the Vendor Released a Patch?Yes, Atlassian has released a patch on June 3rd, 2022.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the China Chopper webshell that was reportedly deployed on known compromised Confluence servers:Java/Websh.D!trAll known network IOC’s associated with attacks leveraging CVE-2022-26134 are blocked by the FortiGuard WebFiltering Client.FortiGuard Labs is currently investigating for additional coverage against CVE-2022-26134. This Threat Signal will be updated when additional information becomes available.Any Suggested Mitigation?The advisory includes mitigation information. See the Appendix for a link to “Confluence Security Advisory 2022-06-02”.
More Stories
openjpeg2-2.5.3-1.fc40
FEDORA-2024-272544ceb9 Packages in this update: openjpeg2-2.5.3-1.fc40 Update description: Update to openjpeg-2.5.3 Fix 2 heap-buffer-overflow Read More
libxml2-2.12.9-1.fc40
FEDORA-2024-9f3765a04b Packages in this update: libxml2-2.12.9-1.fc40 Update description: Update to 2.12.9 Fixes CVE-2024-40896 Read More
libxml2-2.12.9-1.fc41
FEDORA-2024-867a14de12 Packages in this update: libxml2-2.12.9-1.fc41 Update description: Update to 2.12.9 Fixes CVE-2024-40896. Read More
iwd-3.3-1.fc40 libell-0.71-1.fc40
FEDORA-2024-0fa283c43a Packages in this update: iwd-3.3-1.fc40 libell-0.71-1.fc40 Update description: iwd 3.3: Fix issue with handling External Authentication. iwd 3.2: Fix...
iwd-3.3-1.fc41 libell-0.71-1.fc41
FEDORA-2024-256818da09 Packages in this update: iwd-3.3-1.fc41 libell-0.71-1.fc41 Update description: iwd 3.3: Fix issue with handling External Authentication. iwd 3.2: Fix...
A Vulnerability in Apache Struts2 Could Allow for Remote Code Execution
A vulnerability has been discovered in Apache Struts2, which could allow for remote code execution. Apache Struts2 is an open-source...