How is the CVE-2022-26134 zero day vulnerability prevented?

On June 2, 2022, Atlassian announced a zero day vulnerability with codename CVE-2022-26134 that is present in all of their Confluence Server 7.18.0 and Data Center 7.4.0 products.

Currently, this vulnerability is being actively exploited by hackers because it allows remote server control command execution (RCE). This gives hackers full control over a system without credentials, as long as they can make Web requests to the Confluence Server system.

According to statistics from search platform Censys, there are about 9,325 services on 8,347 separate servers running Atlassian Confluence version that could be attacked.

To minimize and prevent business damage, Atlassian recommends that businesses:

• Restrict access to Confluence Server and Data Center instances from the Internet.
• Disable Confluence Server and Data Center instances.

At the same time, on June 3, 2022, Atlassian also released a patch for this zero day vulnerability. Here is a list of Confluence Server and Data Center software versions that have been patched:

• 7.4.17
• 7.13.7
• 7.14.3
• 7.15.2
• 7.16.4
• 7.17.4
• 7.18.1

However, in addition to vulnerabilities like CVE-2022-26134, there may be other vulnerabilities that have not been discovered and patched in time. Therefore, businesses need to proactively equip more effective security solutions to eliminate the latest vulnerabilities.

According to Volexity (A cybersecurity organization in the US) has discovered vulnerability CVE-2022-26134 and analyzed this vulnerability as follows:

Once the CVE-2022-26134 vulnerability is exploited, hackers can install BEHINDER malicious code. The malware is an interface that allows remote access to a Web Server (Web shell) called noop.jsp. It replaces the legitimate noop.jsp file located at Confluence root > /confluence/noop.jsp and another open source Web shell called Chopper.

The hacker installed Web shell BEHINDER on the remote server, then used BEHINDER to install additional Web shell Chopper for backup. The hacker destroyed the Confluence Server user table, and also wrote more Web shells and changed the access log to avoid detection.

However, the security platform of VNIS (VNETWORK Internet Security) soon had a solution to prevent the CVE-2022-26134 vulnerability and protect the maximum safety for its customers both inside and outside. country.

VNIS always timely updates latest security holes, especially those in the top 10 OWASP (Open Web Application Security Project) vulnerabilities. We always make sure all of our customers and our own infrastructure are protected. VNIS's Web Application Firewall (WAF - Web Application Firewall) systems have updated new security features for all customers. The system can protect customer websites from attacks that exploit vulnerabilities such as CVE-2022-26134.

In addition, VNIS experts continuously monitor through the network security monitoring center (SOC) system to ensure flexibility to respond to attacks using multiple methods.

To learn more about how VNIS prevents the latest vulnerability, please follow the content below.

The Origin Shield function of WAF VNIS includes CRS (firewall) rules that will block all request variables such as:

• Parameters according to request
• Parameters in POST
• URI (Uniform Resource Identifier) identifies exactly where to get the resource.
• Content of request

Thus, the Origin Shield system will detect and block if any of the above request variables contains the following attack syntax:

“Class.module.classLoader”

The VNIS platform allows administrators to enable CRS for the new vulnerability by following the following path: ' Origin Shield '> ' CRS rules '> ' Generic injection rules'.

Enable CRS to prevent attacks on new vulnerabilities

Below are examples illustrating the responsiveness of the Web Server system when enabling or disabling the new vulnerability blocking function on Origin Shield of VNIS.

A. Test scenario without enabling vulnerability blocking on CRS Rule on VNIS:

Vulnerabilities not covered by Origin Shield

The execution of cURL request (Client URL - command line tool that helps to check connection through URL) is successfully executed on the server, and displays a status code of 200. In addition, the Linux ls command to request remote data is executes and displays a list of files available on the hacker's remote server.

B. Test scenario when enabling new vulnerability blocking function on CRS Rule of VNIS:

New Vulnerabilities Protected by Origin Shield of VNIS

The cURL request execution failed and showed a 403 status code. Also, the Linux Is command line requesting remote data does not return a list of data files on the hacker's control server.

If you are interested in vulnerability CVE-2022-26134 or the latest zero day vulnerabilities and want to try out VNIS's smart website security solution, leave your contact information in the form below or call the hotline: (028) 7306 8789.