Two vulnerabilities have been published for Confluence Server and Data Center recently:
The goal of this article is to give you a summary of information we have gathered from Atlassian Community as a starting point for asking further questions on Community if you need.
If you read nothing else beyond this point, know that we recommend all Server and Data Center customers upgrade to one of the following versions:
Specifics of the advisories
Please refer to the advisories linked above for more details about the vulnerabilities.
Widget Connector vulnerability (CVS-2019-3396) exploit
Starting April 10, 2019 we began seeing attackers exploiting the vulnerability related to the Widget Connector. Symptoms on internet-exposed Confluence instances of vulnerable versions include (but not limited to):
Cleanup from malware attacks
We recommend cleaning up from attacks in the following order:
The top command will help you find processes (probably running under the confluence user account) that are consuming a large amount of CPU. If Confluence is currently stopped, you can probably plan on killing any processes running as the confluence user. note the process ID (pid) from the top output and then kill the process using kill -9 followed by the pid. Example:sudo kill -9 12395
Clean up your crontab
Since most malware adds a cronjob that relaunches the malware every few minutes, you'll also need to check the crontab file and remove any suspicious-looking entries. If your Confluence install is not running under the confluence user, ensure you enter the right user in this command. Example (using confluence user):sudo crontab -u confluence -e
Confluence comes up on system startup through the SysV/systemd daemons, so we would expect the confluence user's crontab to not exist under normal circumstances. It's most likely the case that any entries in this file are malicious, but make sure you check them before deleting them entirely.
Confluence should be upgraded to at least one of the following versions to patch the vulnerabilities:
- 6.6.13 or above in 6.6.x
- 6.12.4 or above in 6.12.x
- 6.13.4 or above in 6.13.x
- 6.14.3 or above in 6.14.x
- 6.15.2 or above
Use a malware scanner
Any remaining traces of malware on your system need to be removed. The LSD malware cleanup tool will be useful for removing the Kerberods malware. Other malware payloads might need different cleanup tools depending on which attack and payload were used. A good starting place for detecting other types of infections are the scanners linked here. Once a particular infection is identified, googling for "____ removal tool" is a good place to start if the scanner was unable to remove the malware automatically.
To make sure we can organize and reply to questions about these advisories, this post is locked. We ask that you create a new question using this link which will help us ensure that your question is not lost among other replies.
Community moderators have prevented the ability to post new comments.