Log in to view details about your AARNet services, including usage reports
Log in to send files of any size, quickly and securely
Browse answers to frequently asked questions about our products and services
Check the current performance status for our services
Fast local access to popular international open-source content
Check to see if a web address is on-net
At 06:00 AEST (05:30 ACST / 04:00 AWST) 2022-06-03, Atlassian released a security advisory affecting their products Confluence Server and Confluence Data Centre. Reported under CVE-2022-26134, this vulnerability allows for unauthenticated remote-code execution.
In affected versions of Confluence Server and Data Centre, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Centre instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
Exploitation of the vulnerability does appear in standard Confluence logs (/opt/atlassian/confluence/logs/conf_access_log.<yyyy-mm-dd>.log
) and should appear similar the following example:
[02/Jun/2022:16:02:13 -0700] - http-nio-8090-exec-10 10.0.0.28 GET /%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/ HTTP/1.1 302 20ms - - curl/7.68.0
AARNet SOC Identified attempted exploits of the vulnerability to install:
Additionally, AARNet Soc noted a slight increase in vulnerability scanning equipment testing for exploitability of infrastructure from 2022-06-07 onwards. However, post-security fix, there has been a decline in exploit attempts to AARNet SOC customers.
Prior to Atlassian releasing a security patch for affected versions, the original reporters of the vulnerability withheld releasing a proof-of-concept. Once a security patch for affected versions was announced on 2022-06-05, the following day saw a drastic increase in exploitation attempts coinciding with the release of the POC. The POC, complemented by additional research and IOCs from third-party vendors, fed into security appliances for detection capabilities.
The following chart plots Palo Alto Firewall alerts for AARNet SOC relating to Threat ID 92632 (CVE-2022-26134).
AARNet SOC is continuing its investigation of this vulnerability. Attempted exploits of this vulnerability are being analysed, with indicators-of-compromise tracked via an internal critically-tagged MISP event. Any log ingested into AARNet SOC with an IOC identified belonging to a critically-tagged MISP event will be alerted against in our internal SOAR for additional investigations.
AARNet SOC will undertake a retrospective investigation of this vulnerability to determine if there is historical evidence of exploitation of any customer.
The AARNET SOC has been actively gathering and curating intelligence from within customer environments to share with our partners. This information can be found within the AHECS MISP instance.