Finding Confluence servers (again) with runZero

, by Pearce Barry

An actively exploited zero-day has surfaced in popular wiki software Confluence. Deemed “critical” in severity, this vulnerability affects all supported versions of Confluence Server and Confluence Data Center, and also older, unsupported versions (i.e. everything after version 1.3.0). Hosted instances within Atlassian Cloud are reportedly protected from exploitation.

What is the impact? #

Upon successful exploitation via OGNL template injection, this vulnerability (tracked as CVE-2022-26134) can provide unauthenticated remote code execution (RCE) to an attacker. Cybersecurity firm Volexity discovered the vulnerability while performing incident response, and noted, confirmed, and disclosed the actively exploited attack vector to Atlassian.

Are updates available? #

Atlassian has made fixes available for a number of versions and strongly encourages admins to update. If patching in the near term isn’t viable, mitigation strategies to limit exploitation opportunities are also provided. CISA has added this zero-day to its Known Exploited Vulnerabilities Catalog, with advice to block internet access to affected Confluence products.

How do I find potentially vulnerable Confluence instances with runZero? #

From the Service Inventory, use the following pre-built query to locate assets running Confluence within your network which may need remediation or mitigation:

product:confluence OR (_asset.protocol:http AND protocol:http AND has:http.head.xConfluenceRequestTime)
Confluence prebuilt query is available in the Queries Library

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Get runZero for free

Don’t have runZero and need help finding vulnerable Confluence instances?

Start your trial today
Learn more about runZero
Pearce Barry
Written by Pearce Barry

Pearce Barry is a Director of Security Research at runZero. Barry joined runZero in June 2021, working on the Metasploit Project the four years prior. Now, Pearce leads research efforts at runZero, which includes creating and improving fingerprints, adding to protocols, enhancing scanning logic, and writing queries.

Similar Content

September 29, 2023

How to find WS_FTP Server instances?

How to find WS_FTP Server instances? # On September 27th, Progress Sofware announced eight vulnerabilities in the WS_FTP Server software. These issues can lead to a full compromise of exposed WS_FTP systems and their data through the FTP, SSH, and web management services, …

Read More

September 26, 2023

How to find TeamCity instances

How to find TeamCity assets? # On September 20th, JetBrains announced a critical authentication bypass vulnerability that impacts users running the TeamCity On-Premises product. The vulnerability is being tracked using CVE-2023-42793 and presents the weakness of CWE-288 …

Read More

September 12, 2023

How to find OpenSSL 1.1 instances

How to find OpenSSL 1.1 instances # On September 11th, the venerable OpenSSL 1.1.1 reached its end of life date. That means that it will no longer be receiving publicly-available security fixes. Users without a third-party extended support contract will no longer receive …

Read More