Zero-Day Exploitation of Atlassian Confluence

Both Atlassian and CISA are recommending either disconnecting servers from the internet or shutting them off entirely. I don&#x27;t like the sounds of this.<p><a href="https:&#x2F;&#x2F;confluence.atlassian.com&#x2F;doc&#x2F;confluence-security-advisory-2022-06-02-1130377146.html" rel="nofollow">https:&#x2F;&#x2F;confluence.atlassian.com&#x2F;doc&#x2F;confluence-security-adv...</a> <a href="https:&#x2F;&#x2F;twitter.com&#x2F;USCERT_gov&#x2F;status&#x2F;1532511428451631108?t=LcNUFm3cOUbYM6en-0eC_Q&amp;s=19" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;USCERT_gov&#x2F;status&#x2F;1532511428451631108?t=...</a>

We’ve applied protection for all Cloudflare customers, including those on our free plan: <a href="https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;cloudflare-customers-are-protected-from-the-atlassian-confluence-cve-2022-26134&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;cloudflare-customers-are-protect...</a>

This is a great case for why proxy pre-auth is so important. Doesn&#x27;t matter how buggy and riddled with worms your app server is if nobody can get to it without a valid token. Sure, it introduces plenty of other problems, but it does really help with this. At the end of the day, you shouldn&#x27;t be able to execute <i>anything</i> until you&#x27;re authenticated.

A quick update -- we&#x27;ve just notified Confluence Server and Data Center customers that we expect security fixes for supported versions of Confluence will begin to be available for customer download within 24 hours.<p>We will continue to update our advisory (<a href="https:&#x2F;&#x2F;confluence.atlassian.com&#x2F;doc&#x2F;confluence-security-advisory-2022-06-02-1130377146.html" rel="nofollow">https:&#x2F;&#x2F;confluence.atlassian.com&#x2F;doc&#x2F;confluence-security-adv...</a>) at least every 24 hours as additional details become available - including a download link to the software updates as soon as they are available.

From: <a href="https:&#x2F;&#x2F;confluence.atlassian.com&#x2F;doc&#x2F;confluence-security-advisory-2022-06-02-1130377146.html" rel="nofollow">https:&#x2F;&#x2F;confluence.atlassian.com&#x2F;doc&#x2F;confluence-security-adv...</a><p><i>&quot;If you are unable to take the above actions implementing a WAF (Web Application Firewall) rule which blocks URLs containing ${ may reduce your risk.&quot;</i><p>Smells like log4j issues?<p>Edit: Ah, template injection, see below.

Part of me believes that the lack of workaround or patch and the vagueness of the warning, coupled with their cloud product being safe is a very happy accident.<p>Given how much they’re pushing the hosted offering.

&gt; Atlassian Cloud sites are protected<p>&gt; If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable. Our investigations have not found any evidence of exploitation of Atlassian Cloud<p>Must be a relief for Atlassian after the recent long outage that only impacted cloud instances.

Great timing. Here in the UK it&#x27;s a four-day weekend. Can imagine that many affected will see this too late...

<a href="https:&#x2F;&#x2F;confluence.atlassian.com&#x2F;doc&#x2F;confluence-security-advisory-2022-06-02-1130377146.html" rel="nofollow">https:&#x2F;&#x2F;confluence.atlassian.com&#x2F;doc&#x2F;confluence-security-adv...</a> is updated with a workaround that you can apply manually now.

Sidetrack, what&#x27;s a good collaborative wiki? I&#x27;ve tried a bunch but always found Confluence much more polished than other offerings.

The security advisory has been updated with new information regarding a fix for for Confluence Data Center and Server products. Please see the advisory for more information and updated instructions.<p><a href="https:&#x2F;&#x2F;confluence.atlassian.com&#x2F;doc&#x2F;confluence-security-advisory-2022-06-02-1130377146.html" rel="nofollow">https:&#x2F;&#x2F;confluence.atlassian.com&#x2F;doc&#x2F;confluence-security-adv...</a>

Not long after log4shell yet another example of why JEP 411 (removal of SecurityManager) is a very questionable decision.<p>Running applications under SecurityManager would have prevented a lot of these vulnerabilities (or rather - their severity would be much lower).

1) why would you not use a vpn or other gateway between confluence server and the internet?<p>2) presumably for the same reason they ran confluence as root: no idea what they&#x27;re doing (forgivable) or lazy (unforgivable)

Awesome. Maybe finally mailbox.org (and lots of other providers) will apprehend that using the same password for Jira helpdesk and my email inbox is a terrible idea. Then again, what privacy can one really expect from email anyway?

This lands the day after di2e.net shutters their IL-2 instance? Coincidence?

TLDR. But can I delete the tasks from the damn thing without logging?

I haven&#x27;t seen why exploits have been released but this doesn&#x27;t feel like responsible disclosure to me <a href="https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Coordinated_vulnerability_disclosure" rel="nofollow">https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Coordinated_vulnerability_di...</a>