Bug Alert

Authorization Vulnerability in Atlassian Confluence (CVE-2023-22518)

2023-10-31T14:45:00+00:00

⚠ Quick note: SMS and phone notifications are not working in the United States due to new compliance requirements. Bug Alert is working with our telephony provider to resolve this as soon as possible.

On Tuesday, October 31st, 2023, Atlassian released a Security Advisory stating that Confluence Server and Data Center editions are vulnerable to an authorization vulnerability which allows an unauthenticated attacker to cause significant data loss. Patches are available.

Now that a patch has been made available, it's likely that additional attackers will inspect the differences in the application binaries between the fixed and vulnerable versions, and develop attack methods rapidly. At this time, Atlassian is advising customers to remove Confluence Server and Data Center from being available from the Internet if they cannot be patched immediately, either by shutting them down, or by firewalling them off.

This vulnerability been assigned CVE-2023-22518.

If you have feedback (did you agree/disagree that a notice should have been sent?) or questions, please comment on the discussion thread linked below. This notice cost the project approximately $100 USD to send. If you would like to support the project, you can learn more here.

Authorization Vulnerability in Atlassian Confluence (CVE-2023-22518)

2023-10-31T14:45:00+00:00

⚠ Quick note: SMS and phone notifications are not working in the United States due to new compliance requirements. Bug Alert is working with our telephony provider to resolve this as soon as possible.

This vulnerability been assigned CVE-2023-22518.

Authorization Vulnerability in Atlassian Confluence (CVE-2023-22518)

2023-10-31T14:45:00+00:00

⚠ Quick note: SMS and phone notifications are not working in the United States due to new compliance requirements. Bug Alert is working with our telephony provider to resolve this as soon as possible.

This vulnerability been assigned CVE-2023-22518.

Privilege Escalation in Atlassian Confluence (CVE-2023-22515)

2023-10-04T12:45:00+00:00

On Wednesday, October 4th, 2023, Atlassian released a Security Advisory stating that Confluence Server and Data Center editions are vulnerable to a privilege escalation vulnerability that is under active exploitation. Patches are available.

This vulnerability been assigned CVE-2023-22515.

If your Confluence installation is hosted behind Cloudflare and your origin is protected from the Internet, Cloudflare is mitigating the exploit for you already.

Privilege Escalation in Atlassian Confluence (CVE-2023-22515)

2023-10-04T12:45:00+00:00

This vulnerability been assigned CVE-2023-22515.

If your Confluence installation is hosted behind Cloudflare and your origin is protected from the Internet, Cloudflare is mitigating the exploit for you already.

Privilege Escalation in Atlassian Confluence (CVE-2023-22515)

2023-10-04T12:45:00+00:00

This vulnerability been assigned CVE-2023-22515.

If your Confluence installation is hosted behind Cloudflare and your origin is protected from the Internet, Cloudflare is mitigating the exploit for you already.

Testing International Call and SMS Support via Twilio

2022-11-09T15:00:00+00:00

The Bug Alert team is excited to test our integration with Twilio, which will allow the project to send calls and SMS notifications to our subscribers outside of North America. We have a new phone number as well.

Calls and texts will now come from +1 (507) 668-8567 _{+1 (507) NOVULNS 😉}

A celebration!

When Bug Alert launched in January 2022, it was hard to imagine having even a few hundred people as part of our community. Today, we serve notices to thousands of people all across the world, and continue to stand at the ready to make a positive difference in the security community. Thank you for your continued support, and we're so glad to be bringing the entire Bug Alert feature set to our worldwide community.

If you got this test notice by SMS (we didn't fire off phone calls for this one), feel free to take a screen shot and post it in celebration on the GitHub pull request for this notice! We especially want to celebrate a (hopefully) successful test with anyone who lives outside of North America.

A few housekeeping items:

We've also seen an increase in email notices going to Spam folders; if you would please check your spam and mark any Bug Alert messages as 'safe', it would help the project immensely!

Bug Alert is happy to continue serving the Twitter community, but I (Matthew Sullivan, Founder) remain concerned about Twitter's long-term prospects. A significant number of security professionals have adopted the Infosec Exchange Mastodon server as their new home. Bug Alert runs on volunteer time, but getting support for posting notices automatically on the Infosec Exchange Mastodon server will be a high priority, so that we can properly serve that community. If that's something you are interested in tackling, we'd be happy to accept a pull request to the project.

Finally: if you received an email or SMS linking to this notice, and no longer wish to receive test notices (typically no more than one per quarter), please update your Bug Alert subscription preferences.

Multiple Vulnerabilities in Atlassian Products (CVE-2022-26136, CVE-2022-26137, CVE-2022-26138)

2022-07-20T10:00:00+00:00

On Wednesday, July 20th, 2022, Atlassian released a Security Advisory stating that a hardcoded credential vulnerability exists in the Questions for Confluence application, as well as Servlet Filter bypasses in both first and third party applications tied to multiple Atlassian products.

The hardcoded credential vulnerability stems from the use of the Questions for Confluence application with the disabledsystemuser account. The fix here is to update the Questions for Confluence app to a non-vulnerable version, or to disable/delete this account. Uninstalling the Questions for Confluence application does not remediate this vulnerability.

To check for use of the disabledsystemuser account, follow instructions found here.

At this time they have not released any specifics as to what the exact vulnerable endpoint is for the servlet bypasses, or any indicators of compromise that could lead defenders to believe they have been exploited. The current fix is to patch to the level indicated in the advisory.

If exploited, these servlet bypass vulnerabilities may enable attackers to perform an Authentication Bypass, Cross-Site Scripting (XSS) Attacks, or Cross-Origin Resource Sharing (CORS) bypass.

Unauthenticated Remote Code Execution in Atlassian Confluence (CVE-2022-26134)

2022-06-02T17:00:00+00:00

On Thursday, June 2nd, 2022, Atlassian released a Security Advisory stating that Confluence Server and Data Center editions are vulnerable to an Unauthenticated Remote Code Execution vulnerability that is under active exploitation. At this time they have not released any specifics as to what the exact vulnerable endpoint is, or any indicators of compromise that could lead defenders to believe they have been exploited. There is currently no fix.

Once a patch has been made available, it's likely that additional attackers will inspect the differences in the application binaries between the fixed and vulnerable versions, and develop attack methods rapidly. This post will be updated as information becomes available.

At this time, Atlassian is advising customers to remove Confluence Server and Data Center from being available from the Internet, either by shutting them down, or by firewalling them off.

This vulnerability been assigned CVE-2022-26134. ~~Patches are not yet available from the vendor~~ (see last update for patch links). This notice will be updated when they are published.

Update as of June 2nd, 10:00PM New York time

Cybersecurity firm Volexity has published a blog post detailing how they originally found this vulnerability being used in the wild, prior to reporting it to Atlassian. Their write-up includes IP ranges the attackers utilized, as well as some additional background information.

The United States Cybersecurity & Infrastructure Security Agency (CISA) has added this flaw to its list of known exploited vulnerabilities with a deadline for remediation of Friday, June 3rd, 2022.

~~As of this update, there is still no patch available.~~ Confluence administrators are urged to remove public-facing installations from the Internet as soon as possible.

Update as of June 3rd, 2:30PM New York time

Patches are now available from Atlassian.

Unauthenticated Remote Code Execution in Atlassian Confluence (CVE-2022-26134)

2022-06-02T17:00:00+00:00

At this time, Atlassian is advising customers to remove Confluence Server and Data Center from being available from the Internet, either by shutting them down, or by firewalling them off.

This vulnerability been assigned CVE-2022-26134. ~~Patches are not yet available from the vendor~~ (see last update for patch links). This notice will be updated when they are published.

Update as of June 2nd, 10:00PM New York time

The United States Cybersecurity & Infrastructure Security Agency (CISA) has added this flaw to its list of known exploited vulnerabilities with a deadline for remediation of Friday, June 3rd, 2022.

~~As of this update, there is still no patch available.~~ Confluence administrators are urged to remove public-facing installations from the Internet as soon as possible.

Update as of June 3rd, 2:30PM New York time

Patches are now available from Atlassian.

Unauthenticated Remote Code Execution in Atlassian Confluence (CVE-2022-26134)

2022-06-02T17:00:00+00:00

At this time, Atlassian is advising customers to remove Confluence Server and Data Center from being available from the Internet, either by shutting them down, or by firewalling them off.

This vulnerability been assigned CVE-2022-26134. ~~Patches are not yet available from the vendor~~ (see last update for patch links). This notice will be updated when they are published.

Update as of June 2nd, 10:00PM New York time

The United States Cybersecurity & Infrastructure Security Agency (CISA) has added this flaw to its list of known exploited vulnerabilities with a deadline for remediation of Friday, June 3rd, 2022.

~~As of this update, there is still no patch available.~~ Confluence administrators are urged to remove public-facing installations from the Internet as soon as possible.

Update as of June 3rd, 2:30PM New York time

Patches are now available from Atlassian.

Remote Code Execution in Microsoft Office Products for Windows

2022-05-30T09:00:00+00:00

On Monday, May 30th, 2022, security researcher Kevin Beaumont published a blog post detailing an exploit, 'Follina', that had been discovered three days prior and discussed at length on Twitter. This exploit abuses the template retrieval mechanism in Microsoft Office installations on Microsoft Windows systems to initiate arbitrary code, using a vulnerability in Microsoft Support Diagnostic Tool (MSDT). On May 30th, 2022, Microsoft acknowledged this issue and workarounds are available, but there is no patch. This exploit has been actively used against Russia-based targets for over a month.

Exploit code is widely available online, and weaponization of this vulnerability by groups other than the original authors is likely already underway. While awaiting patches from Microsoft, the best course of action is to monitor for use of this exploit, provide user education and implement workarounds. Signatures for various detection tools have been made available and are linked from Kevin Beaumont's post. Microsoft has also released detections for Microsoft Defender. This post will be updated as information becomes available.

This vulnerability has been assigned CVE-2022-30190.

If you have feedback (did you agree/disagree that a notice should have been sent?) or questions, please comment on the discussion thread linked below. This notice cost the project approximately $50 USD to send. If you would like to support the project, you can learn more here.

Authentication Bypass in Atlassian Jira (CVE-2022-0540)

2022-04-20T19:00:00+00:00

On Wednesday, April 20th, 2022, Atlassian released a Security Advisory stating that Jira's web authentication framework, Jira Seraph, is vulnerable to an Authentication Bypass vulnerability. At this time they have not released any specifics as to what the exact vulnerable endpoint is, or any indicators of compromise that could lead defenders to believe they have been exploited. It's likely that attackers will inspect the differences in the application binaries between the fixed and vulnerable versions, and develop attack methods rapidly. This post will be updated as information becomes available.

At this time, Atlassian is advising customers to install updated version of Jira Core Server, Jira Software Server, and Jira Software Data Center. If updating is not possible, installing updates to affected plug-ins (found in the advisory) is suggested, followed by disabling those plug-ins if updates are not available.

This vulnerability been assigned CVE-2022-0540. Patches are available now from the vendor.

If you have feedback (did you agree/disagree that a notice should have been sent?) or questions, please comment on the discussion thread linked below. This notice cost the project approximately $50 USD to send. If you would like to support the project, you can learn more here.

Confirmed remote code execution (RCE) in Spring Core, an extremely popular Java framework (CVE-2022-22965)

2022-03-30T15:00:00+00:00

Updated Notice, 10:00AM New York Time

This flaw has been assigned CVE-2022-22965, and the Spring team is now issuing fixes. Please follow their post here for further updates.

Original Notice

This is not related to CVE-2022-22963, Spring Cloud Function, or SpEL routing expressions. That is a separate, (possibly?) less widespread issue documented here. Sadly, both are being referred to broadly as 'Spring4Shell', significantly adding to the confusion. We suggest the community refrain from using the term.

Praetorian has confirmed the existence of the remote code execution vulnerability that impacts Spring Core. Praetorian has also confirmed online rumors of the issue being caused by a partial fix to a very old issue, CVE-2010-1622. Unfortunately, proof-of-concept code is now widely available and is likely to be weaponized. What we don't know, though, is how widespread this issue really is, or how easily exploited it will be in the real world. As of late in the evening on March 30th, New York time, there's not much evidence yet that it will be exploitable in common configurations.

There is currently no patch. The existing proof-of-concept, as well as the proof-of-concept from 2010, both reference class.module.classLoader when constructing the attack. Bug Alert therefore recommends testing and deploying a WAF rule that analyzes request bodies for requests containing the term classLoader. Please remember that regex-based WAF rules are often easily bypassed, so do not regard this as a long-term solution.

Continue to monitor the Praetorian blog and the Bug Alert discussion thread (linked below) for further information. Once available, official notice from the Spring project is likely to be placed on the VMware Tanzu security advisories page (VMware owns the Spring project). It's likely they will also furnish a blog post with further information at a later time.

Rapid7 has put together a fantastic writeup with technical details. Their blog post also details some of the configurations that are required for the exploit to be successful, and they have committed to using that venue to provide additional information as it becomes available.

If you have feedback or questions, please comment on the discussion thread linked below. This notice cost the project approximately $150 USD to send. If you would like to support the project, you can learn more here

Confirmed remote code execution (RCE) in Spring Core, an extremely popular Java framework (CVE-2022-22965)

2022-03-30T15:00:00+00:00

Updated Notice, 10:00AM New York Time

This flaw has been assigned CVE-2022-22965, and the Spring team is now issuing fixes. Please follow their post here for further updates.

Original Notice

Advanced warning: possible remote code execution (RCE) in Spring, an extremely popular Java framework

2022-03-29T23:00:00+00:00

Update as of March 30th, 3:00PM New York time

Praetorian has confirmed the existence of this RCE in a recently-published blog post.

A new Bug Alert notice has been added here.

Update as of March 30th, 1:30PM New York time

The Bug Alert team is aware of claims of a PoC for a Spring core RCE. However, we are awaiting confirmation before raising any further alarms, and we have not been able to utilize the PoC successfully against real-world Spring installs that we have (legal) access to. Some security professionals have claimed, on Twitter, that they are able to utilize the PoC successfully against Spring instances running behind Tomcat.

Adding to the confusion, multiple Spring devs have publicly stated there is no known vulnerability within Spring Core, and they have also stated that yesterday's serialization-related code change was not an attempt a resolving an open security issue.

We'll share any further info as it comes in, but at this time we are taking a cautious approach with raising any further alarms. This is already a deeply confusing situation, and Bug Alert wants to avoid making it worse.

Finally, we would like to remind readers that Bug Alert is intended to be one of the earliest sources of information, and we have to weigh the risks of being early, but being wrong. This may very well end up being a case where we are wrong, but in the moment it is hard to know what is accurate. We will continue to monitor the situation and report on new developments.

Original notice

This notice is intended to alert you that there may be a significant issue with Spring which, if confirmed, would require immediate attention.

In the morning (New York time) on Tuesday, March 29th, 2022, a member of the security research team KnownSec posted a now-removed screenshot to Twitter purporting to show a trivially-exploited remote code execution vulnerability against Spring core, the most popular Java framework in use on the Internet. The researcher did not provide a proof-of-concept or public details. Since then, the Bug Alert team has been very closely monitoring activity and discussion in the Spring ecosystem.

Update: the claims in the next paragraph have been refuted by the Spring team. I have left them visible for historical context. During our initial investigation, the Bug Alert volunteer team noted that a small change was introduced into the Spring codebase at roughly the same time which may be the patch for this particular remote code execution issue. The team believes RCE could be possible through this vector, and that this change is likely the change that is intended to resolve the issue in Spring. However, the Spring team has not yet commented and has locked/closed GitHub issues inquiring about the accuracy of the claims being made.

Just a few minutes ago, Cyber Kendra, a cybersecurity blog, put up a new post detailing (translated) claims that have been circulating on Chinese blogs and media for the past several hours. This post also details some of the (unconfirmed) ways this vulnerability could be detected or mitigated.

This notice is intended to prepare you for the possibility that a trivially-exploited remote code execution vulnerability may be present in one of the most widely-used pieces of open-source software. The impact of this vulnerability, if it does exist, would be significant; far in excess of the impact of Log4j or Heartbleed.

If you have feedback (did you agree/disagree that a notice should have been sent?) or questions, please comment on the discussion thread linked below. This notice cost the project approximately $50 USD to send. If you would like to support the project, you can learn more here.

Advanced warning: possible remote code execution (RCE) in Spring, an extremely popular Java framework

2022-03-29T23:00:00+00:00

Update as of March 30th, 3:00PM New York time

Praetorian has confirmed the existence of this RCE in a recently-published blog post.

A new Bug Alert notice has been added here.

Update as of March 30th, 1:30PM New York time

Original notice

This notice is intended to alert you that there may be a significant issue with Spring which, if confirmed, would require immediate attention.

If you have feedback (did you agree/disagree that a notice should have been sent?) or questions, please comment on the discussion thread linked below. This notice cost the project approximately $50 USD to send. If you would like to support the project, you can learn more here.

Unauthenticated user impersonation (auth bypass) in SAP

2022-02-08T10:02:00+00:00

On Tuesday, February 8, 2022, SAP published a notice detailing a major request smuggling flaw within their SAP NetWeaver, SAP Content Server, and SAP Web Dispatcher products, which SAP claims could lead to authentication bypass.

Publicly available documentation is scarce, but the Bug Alert team has analyzed the PoC and SAP documentation. It appears that SAP can utilize the REMOTE_USER header (which is usually stripped from untrusted traffic) to authenticate a user through an authenticating proxy or SSO module.

Again, publicly available information is limited at this time, but it appears likely that this request smuggling issue could be utilized to insert the REMOTE_USER request header and impersonate another SAP user, including the present-by-default 'Administrator' account.

This vulnerability been assigned CVE-2022-22536. Patches are available now from the vendor.

If you have feedback (did you agree/disagree that a notice should have been sent?) or questions, please comment on the discussion thread linked below. This notice cost the project approximately $150 USD to send. If you would like to support the project, you can learn more here.

Local privilege escalation in pkexec, a core Linux system component

2022-01-25T20:42:00+00:00

On Tuesday, January 25th, 2022, Qualys published a blog post detailing an issue they identified within pkexec, a core component of polkit (formerly known as PolicyKit). In the time since Qualys disclosed this issue, exploit code has been made available. The pkexec binary is most commonly installed with Linux GUI components and may not be present on servers that run 'minimal' OS installs. This post will be updated as more information becomes available.

PwnKit, as this vulnerability is being called, has been assigned CVE-2021-4034. Patches are available now for most Linux distributions.

Thank you to Matt Cobb for reporting this issue.

This was Bug Alert's first notice. If you have feedback (did you agree/disagree that a notice should have been sent?) or questions, please comment on the discussion thread linked below. This notice cost the project approximately $120 USD to send. If you would like to support the project, you can learn more here.

Post-Launch Updates: Telegram Support, Community Slack, and Celebrating Success

2022-01-11T23:00:00+00:00

The Bug Alert team is happy to announce Telegram support! Join our Telegram channel to receive vulnerability notices in real-time.

This functionality was contributed by a member of our volunteer team, Ethan Schorer. Thanks Ethan!

Stay up to date on the latest Bug Alert news or come chat vulnerabilities in our public Slack workspace. This is also where the volunteer team discusses features and updates, and we'd be happy to get your input as well!

Click here to create an account.

🎉 Post-Launch Celebration

Over 1,000 subscribers have registered with Bug Alert, which is far in excess of what I could have imagined just a week ago. I am honored you agree that Bug Alert is a potential solution to a very real problem, and as a community, we'll work to improve security across the world.

If you have suggestions for Bug Alert, or wish functionality existed which doesn't today, please file an issue on GitHub and let us know! If you know Python, we'd also love to have you contribute to our codebase to make those ideas a reality.

Thanks again for making Bug Alert an early success. We look forward to what the future has in store.

P.S. If you haven't already, follow us on Twitter. While notices are also posted to Twitter, we'll also use the platform for disseminating less pressing, informational content, such as minor feature enhancements or bugfixes. Notices will always be tagged with #BugAlertNotice, which you can use for filtering alerts if you are utilizing tools like IFTTT to monitor the feed and only want to see the emergency stuff. Hope to see you there!

Bug Alert is Live

2022-01-04T14:00:00+00:00

I'm happy announce that Bug Alert is now generally-available! Read the announcement post at https://mattslifebytes.com/2022/01/04/bugalert-org/ for background and further information.

RCE in Log4j

2021-12-09T23:00:00+00:00

On Tuesday, December 9th, 2021, a security researcher posted a screenshot and proof-of-concept code for executing an RCE against the latest available build of the popular Java logging library, Log4j. For up-to-date information, please visit https://www.lunasec.io/docs/blog/log4j-zero-day/.

Placeholder for the End-User Applications Category

2021-12-01T23:00:00+00:00

Our site generator requires all categories to have a notice. This is the placeholder for the 'End-User Applications' category.

Placeholder for the Operating Systems Category

2021-12-01T23:00:00+00:00

Our site generator requires all categories to have a notice. This is the placeholder for the 'Operating Systems' category.

Placeholder for the Services & System Applications Category

2021-12-01T23:00:00+00:00

Our site generator requires all categories to have a notice. This is the placeholder for the 'Services & System Applications' category.