CVE-2019-3396: Vulnerability in Atlassian Confluence Widget Connector Exploited in the Wild
Attackers are targeting vulnerable Confluence instances after company published a fix for the vulnerability back in March 2019.
On March 20, Atlassian published a Confluence Security Advisory to announce fixes for two vulnerabilities, CVE-2019-3395 and CVE-2019-3396.
CVE-2019-3395 is a critical server-side request forgery (SSRF) vulnerability in the WebDAV plugin in Confluence Server and Data Center versions released before June 18, 2018.
In the weeks since the publication of the advisory, attackers have been probing for and exploiting CVE-2019-3396 on vulnerable systems.
On April 23, AlertLogic published a blog about attackers exploiting CVE-2019-3396 to install GandCrab ransomware. GandCrab was first spotted in January 2018 and distributed through the RIG and GrandSoft exploit kits. GandCrab has also been distributed through malicious spam emails.
On April 26, Trend Micro published a blog about the AESDDoS botnet leveraging CVE-2019-3396 to infect systems and launch distributed denial of service (DDoS) attacks against other hosts and even use the infected systems for cryptocurrency mining.
Proof of concept
Atlassian recommends upgrading to the latest version of Confluence, which is 6.15.1 at the time of publication.
- For users of 6.12.x versions prior to 6.12.3, upgrade to 6.12.3 or later and 6.14.x versions prior to 6.14.2, upgrade to 6.14.2 or later.
- For users of enterprise release versions 6.6.x prior to 6.6.12, upgrade to 6.6.12 or later and 6.13.x versions prior to 6.13.3, upgrade to 6.13.3 or later.
- For users of older versions from 1.x.x through 5.x.x and versions 6.0.x through 6.11.x, Atlassian recommends upgrading to 6.14.2, 6.13.3 or 6.6.12.
Identifying affected systems
A list of Nessus plugins to identify these vulnerabilities can be found here.
Below is a sample scan output for CVE-2019-3396.
Get more information
- Confluence Security Advisory - 2019-03-20
- Active Exploitation of CVE-2019-3396 Dropping Gandcrab Ransomware
- Trend Micro Blog on AESDDoS Botnet Malware
Join Tenable's Security Response Team on the Tenable Community.
Are You Vulnerable to the Latest Exploits?
Enter your email to receive the latest cyber exposure alerts in your inbox.