Cloudflare observations of Confluence zero day (CVE-2022-26134)

On June 2, 2022, Atlassian issued a Security Advisory concerning a remote code execution (RCE) vulnerability affecting Confluence Server and Data Center products. This post provides an analysis of the vulnerability. Upon learning about it, Cloudflare's internal teams promptly engaged to ensure all customers and infrastructure were protected. The WAF team started working on mitigation rules that were deployed for all customers, while the security team reviewed Confluence instances within Cloudflare. The RCE vulnerability allows full unauthenticated access, enabling attackers to take over the target application. Active exploits of this vulnerability involve command injections using specially crafted strings to load a malicious class file in memory, allowing attackers to subsequently plant a webshell on the target machine that they can interact with. Since the mitigation rules were put in place, there has been a significant increase in activity related to exploitation attempts. The decline in WAF rule matches is due to improved rules being released, which greatly reduced false positives. A valid malicious URL targeting a vulnerable Confluence application was identified, and other example URLs are provided. Some of the observed activity indicates malware campaigns and botnet behavior. Cloudflare's response to CVE-2022-26134 involved gathering information about the attack, engaging the WAF team to develop mitigation rules, searching logs for signs of compromise, deploying new rules to protect customers, scrutinizing Confluence servers for signs of compromise and malicious implants, and enabling monitoring systems to detect any new exploitation attempts. For those using Confluence on-premises, it is recommended to patch to the latest fixed versions, add Cloudflare Access as an extra protection layer, enable a WAF with protection for CVE-2022-26134 in front of Confluence instances, check logs for signs of exploitation attempts, and use forensic tools to search for post-exploitation tools such as webshells or other malicious implants. Indicators of compromise and attack are provided for reference.