How the Atlassian Confluence Zero-Day Vulnerability Shows the Need for Quicker Patching

On June 2, Atlassian announced that it had been made aware of an active vulnerability present in its Confluence Data Center and Server, now classified as CVE-2022-26134. Atlassian Confluence is a collaboration tool, according to the company.

The exploit was, and remains, rated with critical severity and can allow for unauthenticated remote code execution that allows for arbitrary code execution on all Confluence Server or Data Center instances (see Resources below). It was later observed that attackers may deploy in-memory Java implants to evade detection.

The following day, Atlassian released a fix for the issue in the form of versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1.¹

BlueVoyant’s Observations

Through its continuous monitoring service, BlueVoyant rapidly identifies emerging vulnerabilities (EV) within its global dataset made up of the external-facing IT Infrastructures of organizations from all industries and sectors. It is able to signal detections of specific assets within corporate entities. In the case of CVE-2022-26134, BlueVoyant signatured the vulnerability and has been capturing the remediation rate for all BlueVoyant client vendors within its data, in addition to our own clients. The prevalence and distribution of vulnerable Confluence instances are shown in the map below.

After the June 3 Confluence fix was announced, about 30% of vulnerable organizations patched within the first 10 days. However, the patch rate plateaued the following week. That means 70% of vulnerable Confluence instances remained exposed, a major risk for those organizations.

Confluence General Patch Trends in First 10 Days of Availability

Despite the high criticality of an emerging vulnerability like CVE-2022-26134, the patching rate across vendor supply chains remains remarkably low. The issue highlights one of the key challenges that enterprise organizations face with regard to third-party cyber risk management today — it is difficult to get vendors to rapidly remediate vulnerabilities and risky behaviors, even if they represent a critical threat to organizations’ extended IT ecosystem.

How BlueVoyant Can Help You Patch Faster

BlueVoyant’s Risk Operations Center (ROC) rapidly identifies EVs across supply chains and extended vendor ecosystems, giving guidance to our clients and associated vendors on how to remediate and patch critical vulnerabilities. Based on Security Operations Centers models, the ROC combines cutting-edge technology with a team of seasoned cybersecurity analysts to provide continuous monitoring of third parties. By working directly with an organization’s suppliers and vendors, BlueVoyant’s ROC experts considerably shorten the time it takes to mitigate risk when an issue presents itself. The result is a much faster response time and a significantly more efficient patching rate as seen in the comparative data below.

Confluence Patch Trends for BlueVoyant Customers in First 8 Days of Availability

For BlueVoyant client vendors, more than 50% patched by June 8, only five days after the fix was made available. More specifically, of all the unique instances of vulnerable Confluence versions in client footprints seen on June 2 (when all were vulnerable), less than a quarter (24%) of total instances were still vulnerable by June 15.

Through these trends, we can clearly see that the ROC provides a unique advantage for organizations looking to drastically decrease their vendors’ mean time to remediation and thereby greatly improve their extended attack surface risk posture.

Resources

^{1. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.}