In the case of the commercial wiki software from the Australian company Atlassian, a Zero-day vulnerability have become known. Active exploitation is said to have already occurred.
Discovery of the vulnerability
The current vulnerability was discovered by a security company at the end of May. They discovered that attackers were using the vulnerability to install a web shell on customers' servers. According to the report, several groups from China have exploited the zero-day vulnerability. All current versions of Confluence are said to be affected.
On June 03, Atlassian issued recommended actions to users on its own Confluence support website.
An update to fix the vulnerability has already been provided by AtlassianWe have already successfully upgraded customer installations to the latest version 7.18.1. update:
We recommend that all affected installations that were available on the Internet intensively search the servers for webshells and traces of attacks (e.g. in log files and configs), unless you were using container solutions such as Docker and thus disposed of the old container when upgrading it and only took over the data, which is how we solved it.
Code quality and safety decreases at Atlassian
Atlassian experienced a prolonged outage back in April. The cloud services were affected, so that tools such as Jira and Confluence were unavailable for up to 14 days in some cases. However, this was merely a faulty script that could be fixed. The error in the script had led to IDs of apps or sites being accepted and deleted without a second request. However, this error was not detected until later, so initially there was a longer-term outage. According to Atlassian, it wanted to learn from these errors. About 775 customers were affected by the effects of the faulty script.
What can those affected do?
As long as there is no official fix from the manufacturer for such zero-day security vulnerabilities, administrators are urged to either severely restrict access to the Confluence server or shut it down completely. We had already become aware of the vulnerability on Friday through a subscription to Atlassian's security newsletters and were able to shut down customer instances through good alert chains.
Basically, an application that must be available on the Internet to function is more susceptible to information security problems. Companies in particular are better off with a self-hosted system on the intranet, not Internet-based solutions, if the need for protection is high.
Warnings about the vulnerability
Warnings about the vulnerability are also circulating in America. The Cyber Security and Information Security Agency (CISA) demanded that all federal agencies stop data traffic to Confluence's servers.
Your company needs expert support in the area of data security and data protection? Our team of experts will be happy to assist you!