Imperva Customers are protected from Atlassian Confluence CVE-2022-26134

This is an evolving storyline.
Last update: June 4, 2022.

On June 2, 2022, Atlassian published a security advisory regarding a CVE for versions of Confluence Server and Data Center applications greater than 1.3.0. The advisory details a critical severity unauthenticated remote code execution vulnerability and is identified as CVE-2022-26134. This Object-Graph Navigation Language (OGNL) injection allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.

Atlassian has released a patch for CVE-2022-26134 and is recommending that all Confluence customers deploy this patch immediately to bring them up to the latest long-term version available. To track the latest information on this vulnerability, Confluence customers are advised to follow this Jira issue.

Imperva Cloud Web Application Firewall, WAF Gateway, and Runtime Protection (RASP) customers are fully protected from CVE-2022-26134 without requiring security rule changes. This protection was validated by the Imperva product team and Imperva Threat Research. 

For Confluence users who haven’t updated their software or cannot update to a long-term supported version at this time, Imperva offers a free trial of Cloud WAF that can be quickly deployed to protect vulnerable versions of Confluence.  

Imperva Threat Research Analysis of CVE-2022-2613
Since the disclosure, Imperva Threat Research monitored widespread scanning and attempted exploitation of this vulnerability. The uptick can be seen from our analysis below on the number of Java runtime injection attacks over the last 24 hours. 

What Imperva Threat Research has observed:

  • 680K attack attempts since June 3rd with attack sources coming from nearly 4k unique IPs. The largest percentage of targets are located in Chile.
  • Payload analysis shows that most of the attacks are scanning attempts to find vulnerable servers. We have identified two scanning approaches:
    • Invoking Java runtime exec function to run the command line program nslookup that calls an external server (owned by the attacker)
    • Invoking Confluence GeneralUtil setCookie function to set a unique cookie name and value
  • Imperva saw attempts to deploy a malicious script that operates in two stages:
    • Gains persistence through the modification of the infected server crontab
    • Downloads an executable file, runs it, and deletes the instance from the file’s system. The malicious file’s goal is to infect the victim server with the Mirai botnet.
  • Imperva Threat Research is seeing many attempts to exfiltrate sensitive data (e.g., dump of /etc/passwd file)

Try Imperva for Free
Protect your business from vulnerabilities like CVE-2022-26134 and others for free for 30 days. Click here to start your free trial today. 

The post Imperva Customers are protected from Atlassian Confluence CVE-2022-26134 appeared first on Blog.

*** This is a Security Bloggers Network syndicated blog from Blog authored by Nadav Avital. Read the original post at: https://www.imperva.com/blog/imperva-customers-protected-from-atlassian-confluence-cve-cve-2022-26134/

Recent Posts

AuditBoard Adds Ability to Assess Third-Party Risk

AuditBoard today announced the availability of a third-party risk management extension to its CrossComply platform for managing compliance requirements. Rajiv…

2 hours ago

Techstrong TV: GitGuardian Reports Leaked Secrets Doubled

Mackenzie and Charlene discuss the results of the GitGuardian 2022 State of Secrets Sprawl report, which shows a doubling of…

3 hours ago

Cybersecurity in the Wake of Ukraine

On this episode of The View With Vizard, Mike Vizard  talks with Conquest Cyber President & Chairman Jeffrey Engle as…

4 hours ago

Nominations Now Open for Product Security Executive of the Year Awards!

GrammaTech, and T.E.N., the founder of the Information Security Executive (ISE) of the Year Awards, have recently announced a new…

4 hours ago

New Awards Recognize Software Product Security Executives

Deb Radcliff interviews Malcolm Harkins, Chief Security & Trust Officer with Exposure Management Vendor Epiphany Systems, who in the past…

4 hours ago

GUEST ESSAY: The key to a successful cloud migration – embrace a security-first strategy

Migrating to and utilizing cloud environments – public, hybrid, or multi – is a source of real investment and positive…

5 hours ago