Background
The vulnerability allows unauthenticated remote code execution (RCE). Exploitation occurs by sending an HTTP request with an attack payload to a vulnerable instance of Confluence, whereby an attacker can gain complete control over the server. The attacker can quickly gain access to other parts of the network or begin exfiltrating data.
Cybersecurity firm Volexity discovered the vulnerability and publicly disclosed it in a blog on June 2nd. One of their client’s servers had been compromised and traced back to Confluence. Volexity confirmed it was a previously unknown vulnerability and reported it to Atlassian. A vulnerability exploited "in the wild" before it is known to the developer is classified as a zero-day.
Multiple firms, including Cloudflare, Rapid7, and GreyNoise, have also confirmed seeing attacks in the wild. Due to the trivial nature of exploiting this vulnerability and active evidence of ongoing attacks, any affected instances of Confluence still online are open to compromise.
Atlassian issued a patch late on Friday, June 3rd, for all affected versions of Confluence. Installation of this patch should be immediate to protect against active attacks. However, attackers don’t give up once a patch is available. It’s common to see attacks increase as bad actors test if the patch is effective and try to catch organizations that are slow to implement the patch.
Cybersecurity company GreyNoise reports the number of attacks is increasing rapidly. By the close of business on June 3rd, when the patch was released, reportedly, only 23 unique IP addresses attempted to exploit this vulnerability. On Monday, June 6th, that number was over 800, with the most significant increase in the last 24 hours suggesting we have not reached the attack's peak.
Cloudflare analyzed their network and found the earliest evidence of an attack on May 26th, two days before Volexity’s client and an entire week before the patch was available.
What to Do if Your Organization is Affected and How to Protect it Moving Forward
First, confirm you’re affected. The popular cloud version of Confluence, accessed through Atlassian.net, was never vulnerable. If your organization uses Atlassian Cloud, there is no impact and no action to take.
If your organization runs Confluence Server or Confluence Data Center, both of which are self-hosted on your servers or those of a service provider, patch now.
Because this vulnerability was actively exploited before there was an available patch, bad actors may have already attacked your servers. All organizations should be cautious and consider the possibility that they were already compromised. Both Cloudflare and Volexity’s original blog share methods to look for evidence of exploitation in your logs.
To learn more about protecting your organization against these types of attacks and uncover vulnerabilities before the bad actors do—especially the severe and critical ones—and to minimize cyber risk at your organization, contact us. HackerOne’s Attack Resistance Management Platform and global community of ethical hackers can help defend your entire ever-growing attack surface and protect your organization’s assets.
