On June 2nd, 2022, Atlassian announced a critical zero-day vulnerability caught in its Confluence Server and Data Center. This post will explain everything you need to know, from how to tell if you’re vulnerable to how to patch. Be sure to check back or sign up for updates for the latest on cybersecurity events and risks.

What Is Impacted?

Atlassian Confluence Server or Data Center on premise or self–hosted. Atlassian is a global provider of software development and digital collaboration tools like Jira and Confluence. They are a third-party to hundreds of thousands of customers, and have a market cap of approximately $48 billion- making them one of the largest companies in the world.

What Happened?

According to Volexity, the vulnerability results in full unauthenticated RCE, allowing an attacker to fully take over the target application. An unauthenticated remote code execution called OGNL Injection allows hackers to target internet-exposed servers. Confluence Server and Data Center versions are susceptible to this zero-day flaw that was addressed in a recent security update.

OGNL (Object Graph Navigation Language) Injection occurs when the Expression Language (EL) interpreter attempts to interpret user-supplied data without validation, enabling attackers to inject their own EL code. OGNL was developed to provide developers with an easy way to extract data from an object model like a scripting language. It is similar to a server side template and is used within Java Server Pages since JSP 2.0. The vulnerabilities occur when the interpreter attempts to interpret user-supplied data without validation. This enables attackers to inject their own code.

How Bad Is It?

Atlassian has not reported any breach of customer data. However, the potential for exposure of intellectual property, confidential and customer data is high. Atlassian software is often used to host the Personal Identifiable Information (PII) of customers for product development and support. So far, at least 211 unrecognized IP addresses have been caught exploiting the vulnerability.

Was Panorays Impacted From the Breach?

No. Panorays is using Atlassian Cloud, which was not impacted.

Who Might Be Impacted?

Simply put, tons of organizations use Atlassian technologies for development and collaboration. Any organization using an on-prem or self-hosted version of Confluence Server or Data Center version 1.3.0. or later is at risk, and should follow Panorays’ recommended mitigation steps below.

What You Should Do Right Now

Use a VRM tool like Panorays to identify whether you or your third-party suppliers are using Atlassian. Panorays customers can use the “discover new” function in our app.

Follow Atlassian’s Security Advisory Page and for Panorays customers, our “Cyber News & Data Breaches” tab in the platform for continuous updates. If you do not see Atlassian, you can add it as a supplier.

Find the breach indicators across your third-party vendors with a tool like Panorays’ External Attack Surface Assessment. Panorays performs hundreds of tests, across network & IT, application and human layers, including checking web, email and DNS servers, web applications and employees’ social posture.
Panorays customers can visit the Dashboards and Reports Tab to view our Technology Center. Here Panorays proactively identifies whether your third-parties are using Atlassian technologies.

The identification of Atlassian technologies does not necessarily mean the vendor is using the vulnerable “Confluence Server” or “Data Center”, but should prompt further investigation.

If you are using Atlassian Confluence Server or Data Center, use these proposed mitigations:
Patch the relevant version of Atlassian’s products (7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 – on all of these versions the vulnerability was fixed). On some self-hosted versions, the update might lead to some downtime.

Consider upgrading your Vendor Risk Management (VRM) management program with a dedicated, holistic solution like Panorays. Panorays is an automated, comprehensive and easy-to-use VRM platform that manages the whole vendor security risk management process from inherent to residual risk, remediation and ongoing monitoring – to protect your organization from vulnerabilities like this.
Refer to Panorays’ Third-Party Incident Response Playbook to help you prepare for and respond to incidents like these with your third-parties.
Communicate to employees the need for extra vigilance if they notice unrecognized Expression Language or an unusual activity in Confluence Server or Data Center.
Communicate to your customers and suppliers steps you are taking to minimize exposure so they can mimic.
Stay informed by getting updates from Atlassian’s official Security Advisory page. You can also follow the official Atlassian Twitter Account for more updates.
For further information, Volexity is tracking this zero-day vulnerability under the name: “CVE-2022-26134.”