All versions of Atlassian's corporate Wiki system, Confluence, are affected by a serious bug under active exploitation, possibly by Chinese threat actors.
Atlassian has confirmed the critical vulnerability in Confluence Server and Data Center, and the company said there is currently no fix but it is working on a patch.
Administrators should not expose Confluence to the Internet, and disable instances of the corporate Wiki, as options to keep themselves secure.
Security vendor Volexity reported the issue to Atlassian on May 31 United States time, and the vulnerability has been given a Common Vulnerabilities and Exposures (CVE) index of CVE-2022-26134.
Volexity said it conducted an incident response investigation on two customer Confluence servers and discovered suspicious activity on them.
Attackers had written a version of the Java Server Pages (JSP) "China Chopper" web shell to disk, and Volexity determined a vulnerability was exploited for remote code execution on the servers.
China Chopper was probably left to provide secondary access to the compromised servers, Volexity believes.
Memory samples taken by Volexity showed Bash command line shells running as the root super user with full system access, being launched by the Confluence web application process.
An in-memory only implant, BEHINDER, was immediately deployed by the attackers, providing them with powerful capabilities such as running the Meterpreter attack payload from Metasploit, and the Cobalt Strike remote access tool.
All attacker-spawned processes, including child ones created by the exploit, run as the root superuser, which means they have full access to compromised systems.
Volexity echoed Atlassian's advice that customers should not expose Confluence servers to the Internet, and added that they should not run with root privileges either.
Confluence has over the past few years been targetted by attackers exploiting multiple critical vulnerabilities.
In September last year, Australia's cyber security centre ACSC warned about a code injection and remote execution vulnerability, with no authentication required, advising users to patch urgently to avoid exploitation.
Update June 4 Atlassian has provided more detail on the exploited vulnerability, and released fixed versions of Confluence Server and Data Centre.
The vulnerability stems from an Object-Graph Navigation Language (OGNL) for the Java development framework injection vulnerability that allows attackers to run arbitrary code, Atlassian said in its advisory.
OGNL code injection was also behind the September 2021 remote code execution vulnerability for Confluence Server and Data Centre.
Confluence versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 contain a fix for the vulnerability.
Atlassian strongly recommends that users upgrade to fixed versions of Confluence, as they contain several other security fixes over and above the OGNL bug one.
Cloud Confluence sites hosted on atlassian.net are not vulnerable, and Atlassian said its investigations have not found evidence of them being exploited.
