Try in Splunk Security Cloud

Description

On June 2, security researchers at Volexity published a blog outlining the discovery of an unauthenticated remote code execution zero day vulnerability (CVE-2022-26134) being actively exploited in Atlassian Confluence Server and Data Center instances in the wild. Atlassian released a fix within 24 hours of the blog’’s release.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Web
  • Last Updated: 2022-06-03
  • Author: Michael Haag, Splunk
  • ID: 91623a50-41fa-4c4e-8637-c239b80ff439

Narrative

Atlassian describes the vulnerability as an Object-Graph Navigation Language (OGNL) injection allowing an unauthenticated user to execute arbitrary code on a Confluence Server or Data Server instance. Volexity did not release proof-of-concept (POC) exploit code, but researchers there have observed coordinated, widespread exploitation. Volexity first discovered the vulnerability over the weekend on two Internet-facing web servers running Confluence Server software. The investigation was due to suspicious activity on the hosts, including JSP webshells that were written to disk.

Detections

Name Technique Type
Confluence Unauthenticated Remote Code Execution CVE-2022-26134 Server Software Component, Exploit Public-Facing Application, External Remote Services TTP
Java Writing JSP File Exploit Public-Facing Application, External Remote Services TTP

Reference

source | version: 1