Details of the vulnerability
Atlassian Confluence is a tool that provides collaborative documentation. On June 2, information about what is now known as CVE-2022-26134 was publicly released. Over the next weekend, the vulnerability had been used by various threat actors in assaults, and in no-time malicious actors became aware of it.
The vulnerability will allow unauthenticated, remote attackers to create new administrative accounts, execute privileged commands, and in turn seize control of the servers.
Different methodologies were used to create various exploits to construct reverse shells, execute forced DNS requests, gather data, and create new administrative accounts.
A threat actor would be placing the malicious payload in the URI of an HTTP request. As it stands, most of the proofs of concept (PoCs) that are out in the field use the GET method; however, it appears that any request method will have the same effect, even an invalid request method.
CVSS: 9.8 | Critical | Awaiting analysis
Attack detection and protection
The fix for this vulnerability is to patch Confluence. Atlassian provides detailed recommendations on this.
Barracuda's current signature patterns for os-command-injection and other command-injection signatures are stopping exploit attempts that are currently seen in the wild. Atlassian initially provided a base pattern that can be applied manually by Barracuda Web Application Firewall customers. While Atlassian no longer suggests the WAF rule, it may be safe and effective as a mitigation in the event that you cannot apply the update.
Our application security team is in the process of rolling out a new signature to automate the manual step described above. This signature will not be automatically applied in active mode due to the generic nature of the pattern. Any customer securing Atlassian Confluence can activate this signature for the application, and Barracuda support is available to help with this change.
To learn more about the new signatures and settings required for this mitigation, please review this campus document.
For any assistance with these settings or questions regarding the attack patterns, contact Barracuda Networks Technical Support.
Vishal Khandelwal is Principal Software Engineer at Barracuda, where he works on threat analysis, creating integrated solutions for the company’s application security products. He is a member of the Barracuda Application Security product portfolio’s Product Management team.