Atlassian Confluence is Under Attack: What Happened?
Last week we posted our weekly vulnerability summary and included the latest Atlassian Confluence Vulnerability. Since then, Atlassian has upgraded the severity due to exploitation in the wild. A lot of people are wondering how this vulnerability went from a public disclosure through proper channels to a massive ransomware target unexpectedly. Initially Atlassian thought the vulnerability would only cause complete data loss on the Confluence Server, but hackers found a way to turn the exploit into complete admin access.
This was the second zero-day for Confluence to have a public exploit in a month, and evidence has shown that it was most likely exploited within 24 hours after public disclosure. As with many patches, organizations tend to be slow to implement, giving hackers ample time to strike. This vulnerability is being targeted by the Cerber ransomware strain and can be a costly attack.
This is an important example to highlight both the challenges in announcing vulnerabilities and in the vulnerability management programs organizations have. The researchers at Atlassian, while well-meaning, underestimated the capabilities of the vulnerability and by announcing the details along with the patch, gave time for hackers to develop an even more dangerous exploit. That being said, blame also lies with companies that didn’t patch Confluence. The initial thought was a 9.1/10 CVSS score with complete data loss when exploited. That alone should be cause enough for concern and warrant urgent patching.
A solution to this could include private customer channel announcements or silent patch releases that do not detail the exploit, flaw, or severity. This would have to be balanced against companies that will not take such patches seriously until they have already fallen victim to ransomware. Another way is to use context-based risk and vulnerability management platforms, like Glassportal, that can show your risk and help you prioritize vulnerabilities to patch. If you are in need of support, contact us for a demo: demo@glassportal.io
