FortiGuard Labs is aware of a new vulnerability in Confluence Server and Data Center (CVE-2022-26134) which was reportedly exploited as a zero-day in the wild. Rated critical, successful exploitation of the vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the compromised server. The vulnerability affects all supported versions of unpatched Confluence Server and Data Center.Why is this Significant?This is significant because Confluence Server and Data Center (CVE-2022-26134) was reportedly exploited as a 0-day in the wild. The vulnerability is an OGNL injection vulnerability that allows an unauthenticated remote attacker to execute arbitrary code on the compromised server.Confluence is a widely-used team workspace and collaboration tool developed by Atlassian. It is used to help teams collaborate and share knowledge via a content management system and is used by many large scale enterprise and organizations worldwide. This vulnerability does not have a CVSS score at the moment, but the ease of exploitation via an unauthenticated session and combined with remote code execution is a cause for concern.What versions of Confluence Server and Data Center are Affected by CVE-2022-26134?The advisory released by Atlassian states that the following versions are affected:All supported versions of Confluence Server and Data CenterConfluence Server and Data Center versions after 1.3.0What Malware was Deployed to the Compromised Server?It was reported that China Chopper has been deployed on to compromised servers. China Chopper is a tiny webshell that provides a remote attacker backdoor access to a compromised system.Has the Vendor Released an Advisory for CVE-2022-26134?Yes. See the Appendix for a link to “Confluence Security Advisory 2022-06-02”.Has the Vendor Released a Patch?Yes, Atlassian has released a patch on June 3rd, 2022.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the China Chopper webshell that was reportedly deployed on known compromised Confluence servers:Java/Websh.D!trAll known network IOC’s associated with attacks leveraging CVE-2022-26134 are blocked by the FortiGuard WebFiltering Client.FortiGuard Labs is currently investigating for additional coverage against CVE-2022-26134. This Threat Signal will be updated when additional information becomes available.Any Suggested Mitigation?The advisory includes mitigation information. See the Appendix for a link to “Confluence Security Advisory 2022-06-02”.
[update 2022/05/30] Two CVEs have been assigned to these vulnerabilities.
CVE-2021-36613: Mikrotik RouterOs before stable 6.48.2 suffers from a
memory corruption vulnerability in the ptp process. An authenticated remote
attacker can cause a Denial of Service (NULL pointer dereference).
CVE-2021-36614: Mikrotik RouterOs before stable 6.48.2 suffers from a
memory corruption vulnerability in the tr069-client process. An
authenticated remote…
1. ADVISORY INFORMATION
=======================
Product: Reolink E1 Zoom Camera
Vendor URL: https://reolink.com/product/e1-zoom/
Type: Exposure of Sensitive Information to an Unauthorized Actor [CWE-200]
Date found: 2021-08-26
Date published: 2022-06-01
CVSSv3 Score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVE: CVE-2021-40150
1. ADVISORY INFORMATION
=======================
Product: Reolink E1 Zoom Camera
Vendor URL: https://reolink.com/product/e1-zoom/
Type: Exposure of Sensitive Information to an Unauthorized Actor [CWE-200]
Date found: 2021-08-26
Date published: 2022-06-01
CVSSv3 Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE: CVE-2021-40149
A vulnerability has been discovered in Atlassian Confluence Server and Data Center, which could allow for remote code execution. Confluence is a wiki tool used to help teams collaborate and share knowledge efficiently. Successful exploitation of this vulnerability could allow for remote code execution within the context of the service account used to run the Confluence Server or Data Center service. Depending on the privileges associated with the service account, an attacker could view, change, or delete data. If the service account has been configured to have fewer rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.
