Confluence CVEs and common questions

Two vulnerabilities have been published for Confluence Server and Data Center recently:

• March 20, 2019 CVE-2019-3395 / CVE-2019-3396
• April 17, 2019 CVE-2019-3398

The goal of this article is to give you a summary of information we have gathered from Atlassian Community as a starting point for asking further questions on Community if you need.

 

At minimum

If you read nothing else beyond this point, know that we recommend all Server and Data Center customers upgrade to one of the following versions:

• 6.6.13 or above in 6.6.x
• 6.12.4 or above in 6.12.x
• 6.13.4 or above in 6.13.x
• 6.14.3 or above in 6.14.x
• 6.15.2 or above

 

Specifics of the advisories

• WebDAV vulnerability - CVE-2019-3395: Confluence Server and Data Center versions released before the 18th June 2018 are vulnerable to this issue. A remote attacker is able to exploit a Server-Side Request Forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance.
• Widget Connector vulnerability - CVE-2019-3396: There was an server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector. An attacker is able to exploit this issue to achieve server-side template injection, path traversal and remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.
• Path traversal in the downloadallattachments resource - CVE-2019-3398: Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs, or to create a new space or personal space, or who has 'Admin' permissions for a space, can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.

Please refer to the advisories linked above for more details about the vulnerabilities.

 

Widget Connector vulnerability (CVS-2019-3396) exploit

Starting April 10, 2019 we began seeing attackers exploiting the vulnerability related to the Widget Connector. Symptoms on internet-exposed Confluence instances of vulnerable versions include (but not limited to):

• Confluence crashes shortly after startup
• The Confluence user is running abnormal processes
  • kerberods
  • /tmp/khugepageds
  • dblaunchs
  • seasame
• If in doubt about malicious processes running as the confluence user, simply stop Confluence and inspect the output from top for processes still running under the confluence user account
• Unusual high system resource usage (CPU and memory)
• There are pastebin scripts in crontab for the user under which Confluence is running

 

Cleanup from malware attacks

We recommend cleaning up from attacks in the following order:

1. Kill malicious processes
2. Clean up your crontab
3. Upgrade Confluence
4. Use a malware scanner to find remaining malware traces

Malicious processes

The top command will help you find processes (probably running under the confluence user account) that are consuming a large amount of CPU. If Confluence is currently stopped, you can probably plan on killing any processes running as the confluence user. note the process ID (pid) from the top output and then kill the process using kill -9 followed by the pid. Example:

sudo kill -9 12395

Clean up your crontab

Since most malware adds a cronjob that relaunches the malware every few minutes, you'll also need to check the crontab file and remove any suspicious-looking entries. If your Confluence install is not running under the confluence user, ensure you enter the right user in this command. Example (using confluence user):

sudo crontab -u confluence -e

Confluence comes up on system startup through the SysV/systemd daemons, so we would expect the confluence user's crontab to not exist under normal circumstances. It's most likely the case that any entries in this file are malicious, but make sure you check them before deleting them entirely.

Upgrade Confluence

Confluence should be upgraded to at least one of the following versions to patch the vulnerabilities:

• 6.6.13 or above in 6.6.x
• 6.12.4 or above in 6.12.x
• 6.13.4 or above in 6.13.x
• 6.14.3 or above in 6.14.x
• 6.15.2 or above

Use a malware scanner

Any remaining traces of malware on your system need to be removed. The LSD malware cleanup tool will be useful for removing the Kerberods malware. Other malware payloads might need different cleanup tools depending on which attack and payload were used. A good starting place for detecting other types of infections are the scanners linked here. Once a particular infection is identified, googling for "____ removal tool" is a good place to start if the scanner was unable to remove the malware automatically.

 

Additional resources

• What to do when your Confluence is hacked (article not published by Atlassian)
• Discussion: khugepageds eating all of the CPU

 

Asking questions

To make sure we can organize and reply to questions about these advisories, this post is locked. We ask that you create a new question using this link which will help us ensure that your question is not lost among other replies.