Atlassian Confluence

Confluence combines the power of online document creation, tight integration with Microsoft Office to help people work better together, share information, and build knowledge. Confluence is used as a portal, knowledge management system and documentation.

Atlassian Confluence is an enterprise content management application designed to store and share information within a company or group of companies. It can be used to organize public knowledge bases, external and internal reference and information portals and resources for working with documentation, blogging and web publications, including report publications; Knowledge Management and Business Process Documentation.

It is a universal platform, significantly expanded compared to software products of this class, the set of functions of which allows you to use the solution for organizing electronic document management of the company. The application was created by the Australian company Atlassian Software Systems.

2024

Hacker put up for sale for 11 million rubles an exploit for a mysterious vulnerability in Jira and Confluence

On one of the hacker forums, a user with the nickname IntelBroker in mid-June announced the sale of an exploit for an unknown (0-day) vulnerability in the company's products Atlassian Jira and Confluence. There are no fixes for the vulnerability, but the information about it itself has not yet been published.

𝓲

SecAtor

According to the seller's description, the exploit allows remote code execution (RCE) for the latest version of the Jira desktop application. It can also be used to attack Confluence, without knowing any login credentials. It is also noted that it is compatible with the Okta SSO solution, which expands its capabilities for horizontal movement already within the infrastructure. For a ready-made exploit, the seller wants to get 800 thousand. Monero (approximately 11 million rubles).

Although it is already officially difficult to buy a license for these products in Russia, in one way or another many companies use them and their products store confidential data, which will give a potential attacker who uses a 0-day vulnerability to them access, and presumably access to the internal network and infrastructure objects, - said for TAdviser Mikhail Sukhov, head of security analysis at Angara Security.

It should be noted that IntelBroker, in addition to the above exploit, also sells information received by it, as it claims, from the information systems of various fairly large companies: AMD, T-Mobile, Apple and some others. Moreover, there are signs that they used Atlassian products in their work, that is, it is quite possible that the seller himself has already used his own exploit to penetrate other people's information systems.

The likelihood of using an exploit against Russian companies is extremely high, "Luka Safonov, technical director of Garda WAF, told TAdviser. - According to the news, at the moment attackers are attacking solvent large targets such as AMD, Apple. Given the attack vector - a desktop application - you need to protect the user's final workplace.

Although there are few solvent targets among even large Russian companies now - due to sanctions and the geopolitical situation, nevertheless, the sold exploit can be bought and used to attack Russian information systems by pro-state groups. However, the price of the exploit is quite high, and Monero is not the most convenient cryptocurrency, since not all crypto exchanges can purchase it.

Jira and Confluence is a cloud SaaS solution and a product that can be installed on your servers, "Mikhail Sergeev, leading engineer of the CorpSoft24, said for TAdviser. - All users from Russia were kicked out of the cloud, and they did it as ugly as possible: they simply completely blocked the paid accounts in which Russia was indicated in the profile at some point. Company products installed on their servers are usually used without access from the Internet - within the corporate network, so if external access is denied to it, it will be impossible to exploit this vulnerability. In general, we can say that this vulnerability will practically not affect users from the Russian Federation.

Konstantin Larin, head of Cyber ​ ​ Intelligence at the Bastion information security system integrator, recommended that users who still exploit vulnerable products close access to them directly from the Internet and connect to them through a secure VPN solution, as well as try to switch to domestic products that have already been developed enough. And as soon as the manufacturer issues protection recommendations, implement them as quickly as possible.

And the recommendations of Askar Dobryakov, a leading expert in the protection of business applications "K2 Cybersecurity," are as follows:

• Use the Web Application Firewall (WAF) screen, which can be used to log all requests to the application from outside - this will allow you to investigate and understand how an attacker was able to gain access and, possibly, even find out the exploit parameters;
• Make a full backup of the vulnerable application and save it in an inaccessible place;
• Configure monitoring of user activity, which will identify anomalies in the use of system accounts and timely block their malicious activity;
• Check the settings of the operating system on which the vulnerable application is running in order to maximize its control and monitoring of the conduct;
• Minimize the availability of vulnerable products from the Internet by restricting access to them using a VPN connection only for your own employees.

BI.Zone WAF protects against vulnerability CVE-2024-21683

On May 27, 2024, it became known about a CVE-2024-21683 vulnerability in the Conflict Data Center & Server wiki system for storing corporate knowledge. BI. ZONE WAF experts quickly developed a rule to detect illegitimate activity and prevent exploitation of the vulnerability by attackers. BI.Zone announced this on May 27, 2024. Read more here.

Another critical vulnerability was found in the popular Confluence platform. It allows you to hijack the server without authentication

FSTEC in mid-January 2024 warned^[1] about the discovery of another dangerous BDU:2024-00325 vulnerability in the Atlassian Confluence Server web server and the Confluence Data Center, which allows you to remotely execute extraneous code to an unauthorized user and use it to intercept their control. The vulnerability also received the highest CVSS hazard score - 10 out of 10.

Atlassian Confluence Server and Data Center are web-based data collaboration platforms designed for enterprise needs.

The vulnerability allows an unauthorized violator acting remotely to execute arbitrary code in the context of the server by introducing a specially crafted template with malicious code without conducting an authentication procedure. The error is present in versions Confluence 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x and 8.5.0-8.5.3, but not in 7.19.x LTS.

Atlassian itself recommends upgrading to versions 8.5.4, 8.5.5 (Conflict Data Center and Server), 8.6.0, 8.7.1 and 8.7.2 (Conflict Data Center), in which the problem has already been resolved^[2].

At the same time, attempts to exploit this vulnerability and the first exploits for it are recorded. So far, however, there is only information about the successful exploitation of this vulnerability by the Positive Technologies Offensive Team (PT SWARM) research group, as well as statements by the AttackerKB project about the start of exploitation of this vulnerability by hackers.

A detailed analysis of the vulnerability was carried out by^[3] on January 22 by two researchers Rahul Maini and Harsh Jaiswal of ProjectDiscovery Research, who compiled a test exploit to check a specific Confluence installation for the specified vulnerability.

Example of testing a local computer with a proposed exploit (provided by ProjectDiscovery Research)

As recommendations for eliminating the danger, you could be advised to switch to the latest fixed versions of products, but this is not available to everyone. Therefore, you can use the tips of FSTEC:

restricting access to the software from public networks (the Internet); Using virtual private networks for remote access (VPN) use of firewall means to limit the possibility of remote access; Use intrusion detection and prevention tools to track attempts to exploit a vulnerability using antivirus software to track vulnerability exploits.

2023: A dangerous vulnerability in Confluence is exploited by ransomware. FSTEC recommends defending yourself

FSTEC warns of a new dangerous vulnerability in the Atlassian Confluence Server web server and the Confluence Data Center. The vulnerability that received the BDU:2023-07453 code ( CVE-2023-22518) is associated with shortcomings in the authorization procedure. Exploiting the vulnerability could allow a remotely acting violator to elevate their privileges. The CVSS vulnerability hazard level is designated as 9.1 out of 10.

Atlassian Confluence was actively used by Russian companies several years ago, but now these systems are left without service - Atlassian has stopped working in Russia. At the same time, the company's products still remain and work. So, according to the service Netlas.io the number of servers vulnerable to this vulnerability in Russia is 1242, which is quite a lot for a possible attack for them. Moreover, there are more such servers only in Germany (3112) and the USA (2500).

Atlassian Confluence Country Specific Vulnerable Server Map

Companies that monitor malicious activity on the Internet have discovered the use of exploits aimed at a new vulnerability. In particular, [1] a whole section dedicated to her has appeared in GrayNoise reports, however, so far the number of recorded attacks is not very large. [2] The company Rapid7 also published its report on the exploitation of this vulnerability on its blog. Moreover, ransomware, in particular, from the Cerber group (aka CerberImposter), are indicated as the first users of this vulnerability.

In this regard, FSTEC recommends installing updates from trusted sources (the manufacturer is not) or implementing compensatory measures aimed mainly at disconnecting vulnerable servers from the Internet: creating a backup copy of its instance of the software tool with settings and data; restriction of access to software from external networks (Internet); Use virtual private networks for remote access (VPN). According to Atlassian, the error has been fixed in versions Confluence Data Center and Server 7.19.16, 8.3.4, 8.4.4, 8.5.3 and 8.6.1. Also [3] , temporary protection measures have been published on the manufacturer's website, which can be applied if updates are not available.

How to replace Atlassian Confluence?

The only reliable analysis of knowledge management systems available in open sources - the CCGuru report, formed at the end of 2021 - considers the six main players in the market for this software.

It is immediately necessary to exclude KMS Lighthouse (Israeli solution) and the Mass Group product from this list, judging by all signs that it has already suspended its activities in the Russian Federation. These solutions, despite their possible advantages and experience in the market, cannot be recommended as an alternative to Confluence due to sanctions risks.

Thus, with all the wealth of choice, only three large Russian developments can become a worthy replacement for Atlassian products:

• Rostelecom CPS
  
• Minerva Knowledge
  
• CraftTalk

All three systems have objective pros and cons, but their deep analysis is not the subject of this article, therefore, the management of companies is still recommended to make a decision on their own, taking into account the needs and only after a deep comparative analysis of the capabilities offered by the systems (more).

Confluence 5.2

• Search for recently viewed publications in one click;
• Improved interface and fast filters;
• More relevant results thanks to an improved search algorithm;
• Improved performance - Search indexing uses 40% less disk space.

Confluence 4.3

• When accessing the portal from a mobile device, a special mobile site with a convenient organization is displayed;
• Added a system for creating and tracking everyday tasks, as well as assigning tasks to colleagues;
• The template creation system has been redesigned, functionality has been added to create templates with any number of macros;
• When creating data tables in the portal, you can color cells in different colors, sort them, and use basic calculation formulas.

Confluence 3.5

The product was seriously improved in terms of functionality, and the interaction between it and the powerful development automation system - Atlassian JIRA 4.3, was also improved for the convenience of users. Key improvements in Confluence 3.5:

• New button for quick publishing of pages by mail or blogs;
• The ability to add JIRA queries from the editor;
• Support for HTML5 browsers (Firefox 3.6, Firefox 4, Safari 5, IE 9) with the ability to accept files through Drag and Drop dragging objects;
• Added the ability to track blogs in spaces;
• The ability to embed video in pages using a Multimedia macro;
• Support for nested security groups;
• Track feedback on your new Portal inclusions.

Notes