On June 2 and 3, 2022, information was published about a vulnerability in Atlassian’s Confluence products that could allow attackers to gain full access to machines and possibly underlying network components. Confluence is used by organizations as a web-based wiki and information platform, among other things.
What potential impact does this Confluence vulnerability have?
If an attacker is able to successfully exploit the vulnerability, it can lead to the execution of unauthorized code on the affected systems. This could potentially result in the server and the data present being compromised. This attack can be performed from the Internet, requiring no authentication.
From a compromised server, an attacker may be able to gain access to the machine and possibly to the rest of the network. This can lead to the theft of (personal) data, ransomware or other types of malware. For this reason, the CVSS score of the vulnerabilities is
classified as critical.
How is the Confluence vulnerability detectable?
A well-known method for determining if rogue connection requests have come in to your environment is described in the pdf by OS, broken down into Linux and Microsoft Windows.
Is there an action plan that your organization can follow?
It is important for your organization to take at least the following steps:
- Check the publicly available Indicators-of-Compromise (IoCs) on your systems to determine if you may be compromised. Or have external preventive research performed on your systems.
- Implement any work-arounds made available to reduce impact where possible.
- Prepare your organization for the situation when patches need to be executed unexpectedly (outside the regular update timeframes) and apply patches in a controlled manner according to the procedure usual for your organization.
- As soon as available security updates/patches are published, immediately run them on the systems and verify that the updates have actually been applied. In the case of external IT service provider: Have your provider perform these actions and have these actions and their result confirmed to you in writing.
Do you have systems where the risk is high (for example, systems with sensitive or special personal data)? If so, do you have any possible indications that the system cannot be updated immediately? Then consider temporarily disabling the system until it can be updated.
What should your organization do in case of potential abuse?
If your organization is suspected to have been the victim of an attack, the urgent advice is to have research conducted into the cause, to what extent attackers may have compromised other systems and what information may have been accessed unauthorized.
- If possible, disconnect affected systems from the network, but leave them on (in connection with any traces such as volatile memory - RAM);
- Have the affected systems forensically examined; ensure adequate backups;
- Reset your passwords and user data;
- Report to the Police;
- Consider filing a report with the Personal Data Authority.
Does your organization currently have an incident? Our Computer Emergency Response Teams
(CERT) are available to organizations 24/7 to support IT Security Incidents.
Then call 088 133 0700 and we will do our best to help you as soon as possible.
Does your organization currently have an incident? Our Computer Emergency Response Teams (CERT) are available to organizations 24/7 to support IT Security Incidents.
Then call 088 133 0700 and we will do our best to help you as soon as possible. Here you will find more information about our Incident Response service.
Disclaimer: NFIR has made every effort to make this information accurate and reliable. However, the information provided is without any guarantee of any kind and its use is entirely at the risk of the user. NFIR assumes no responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided.
