Security Vulnerability of the Week 13/06/22

Weekly review of vulnerability, this week we have a lot to unpack

Previous Issues of vulnerability Weekly



This week we deep dive into Confluence RCE vulnerability, Follina exploits and weaponization, and GitLab vulnerability for account takeover.


Appsec

Atlassian Confluence & Jira

Atlassian Confluence

Beginning of June (2-june-2022) Atlassian warned of two zero days. Atlassian credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as CVE-2022-26134.

A new strain of ransomware is affecting and targeting both vulnerabilities  CVE-2022-26134. and reports on Atlassian support confirm files are getting locked and encrypted.

Several attempts since weaponization have been seen (source Graynoise)

Credit Graynoise

https://viz.greynoise.io/tag/atlassian-confluence-server-cve-2022-26134-ognl-injection-attempt?days=3

Currently, Atlassian tracks the vulnerability: https://confluence.atlassian.com/doc/confluence-securitydvisory-2022-06-02-1130377146.html with the available workaround

Both Confluence Server and Data Center are affected by an injection that allows an unauthenticated attacker to execute random code (RCE and Injection)

The affected versions are
from 1.3.0 before 7.4.17,
from 7.13.0 before 7.13.7,
from 7.14.0 before 7.14.3,
from 7.15.0 before 7.15.2,
from 7.16.0 before 7.16.4,
from 7.17.0 before 7.17.4,
and from 7.18.0 before 7.18.1.
CVE Database/ Atlassian

Atlassian has been hit by another critical vulnerability in April with a rating of 9.9: https://phoenix.security/svw-2022-04-25/

Also, another variant of the vulnerability Currently Tracked as CVE-2021-26084, CVSS score: 9.8

As the two vulnerabilities are highly exploitable if there are server exposed with authentication is important to patch them

Both vulnerabilities are affected by the Object-graph Navigation Language (OGNL) injection.

Both vulnerabilities is currently high in dangerousness as there are multiple exploits available in the wild: https://packetstormsecurity.com/files/167430/Confluence-OGNL-Injection-Remote-Code-Execution.html

https://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html

An example of the payload :

curl -v http://localhost:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/pwned%22%29%7D/

This is just an encoding for an OGNL expression including java.lang.Runtime to execute a system command: touch /tmp/pwned.COPY

{@java.lang.Runtime@getRuntime().exec(“touch /tmp/pwned”)}

Current Version of Atlassian Vulnerable on the web

According to stats from internet asset discovery platform Censys, there are about 9,325 services across 8,347 distinct hosts running a vulnerable version of Atlassian Confluence, with most instances located in the U.S., China, Germany, Russia, and France.

For a live dashboard: https://datastudio.google.com/u/0/reporting/1fbdf17c-ae37-4501-bd3f-935b72d1f181/page/2DSuC

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), besides adding the zero-day bug to its Known Exploited Vulnerabilities Catalog, has also urged federal agencies to immediately block all internet traffic to and from the affected products and either apply the patches or remove the instances by June 6, 2022, 5 p.m. ET.

Fix

Released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue.

Mitigation

If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the CVE-2022-26134 issue by updating the following files for the specific version of the product.

More details on the various version in the advisory:

https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2022-06-02

GitLab

A bit dwarfed by the Atlassian vulnerability above GitLab had a serious authentication issue affecting all all versions of GitLab Enterprise Edition (EE) starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, and all versions starting from 15.0 before 15.0.1.

CVE-2022-1680, the issue has a CVSS severity score of 9.9

The vulnerability was discovered by the internal security team: https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1680.json

Official Advisory:

“When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users’ email addresses via SCIM to an attacker-controlled email address and thus — in the absence of 2FA — take over those accounts,” GitLab said.

Having achieved this, a malicious actor can also change the display name and username of the targeted account, the DevOps platform provider cautioned in its advisory published on June 1, 2022.

FIX

it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.


INFRA/Network

MAC Hardware Vulnerability

Credit Techspot

A new hardware attack targeting the novel M1 Processor has been recently demonstrated. The attacker can execute arbitrary code on the affected Mac OS

The vulnerability is rooted in pointer authentication codes (PACs), a line of defence introduced in arm64e architecture that aims to detect and secure against unexpected changes to pointers — objects that store a memory address — in memory.

the paper’s lead co-author Ph.D. student Joseph Ravichandran on the processor vulnerability: The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system. We’ve shown that pointer authentication as a last line of defence isn’t as absolute as we once thought it was

https://pacmanattack.com/paper.pdf

Like other vulnerabilities (like spectre) the vulnerability is difficult to replicate. As for spectre the vulnerability fix might lead more likely to the exclusion of the corruptable area so steps in the future to mitigate the vulnerability needs to be carefully considered.

An example of the pointer leak:

The researcher have used the vulnerability for kernel-based attacks but remains very speculative and no weaponization seen in the wild.

Apple said in a statement shared with The Hacker News, pointing out PACMAN’s diminished potential for in-the-wild exploitation.

The researchers do say there is “no immediate call for alarm” because there needs to be a myriad of other breakages in order to for this ‘last line of defence’ to be cracked. The researchers presented their findings to Apple, who responded with a statement to TechCrunch.

Windows – Follina

The vulnerability CVE-2022-30190 (CVSS score: 7.8) has currently no fix available. Currently Tracked in https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190

The discovery from the  Japanese cybersecurity research team nao_sec started when they discovered a malicious Word file uploaded to VirusTotal from the Belarusian IP address.

The vulnerability exploit get triggered by chaining an HTML file from a remote template that leads to running malicious Powershell code.

The situation is more dangerous as the code is run via the MSDT tool normally run by the support desk to diagnose issues.

Remediation/ workaround

There is still no available patch the step to fix this are:

  • To disable the MSDT URL Protocol (modify the register: reg export HKEY_CLASSES_ROOT\ms-msdt filename)

For additional workaround: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

Increase dangerousness

Microsoft Defender for Endpoint hasn’t been able to detect the flaw according to the research by Kevin Beaumont who gave a name to this new Microsoft Office code execution vulnerability.

Nonetheless, the following signatures have been released

  • Trojan:Win32/Mesdetty.A  (blocks msdt command line)
  • Trojan:Win32/Mesdetty.B  (blocks msdt command line)
  • Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)
  • Trojan:Win32/MesdettyScript.A (to detect HTML files that contain msdt suspicious command being dropped)
  • Trojan:Win32/MesdettyScript.B (to detect HTML files that contain msdt suspicious command being dropped)

Follina in the Wild:

Researchers have seen malicious documents exploiting Follina with targets in Russia, India, the Philippines, Belarus, and Nepal. An undergraduate researcher first noticed the flaw in August 2020, but it was first reported to Microsoft on April 21. Researchers also noted that Follina hacks are particularly useful to attackers because they can stem from malicious documents without relying on Macros, the much-abused Office document feature that Microsoft has worked to rein in.

New recent detection have detected potential state sponsor attacks: Follina –

More than 1000 spam email have been recently seen,.

“This campaign masqueraded as a salary increase and utilized an RTF with the exploit payload downloaded from 45.76.53[.]253,” the company said in a series of tweets.

the campaign follows a recent attack

Dog Walk Follina extended attack

Despite the fact that an unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), the following flaws continue to get exploited in the wild.

The DOGWALK vulnerability leverage a startup folder exploit. The vulnerability get exploited at when the payload is launched at next user login

DogWalk was originally disclosed by security researcher Imre Rad in January 2020 after Microsoft, having acknowledged the problem, deemed it as not a security issue.

Following some example of virtual patching of this vulnerability

Previous Issues of vulnerability Weekly


Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Are never-ending critical alerts leaving you scrambling? Explore how reachability analysis identifies vulnerabilities that truly matter, saving your teams from needless patch frenzies. This session, hosted by the OWASP NYC Chapter, uncovers the latest insights in ASPM, remediation techniques, and application security best practices. Attendees learn how to streamline vulnerability management through practical examples, advanced risk scoring, and live demonstrations of container-based architectures. Expect lively discussions, real-world success stories, and expert tips on targeting only the exploitable weaknesses—rather than chasing every single alert in your backlog.
Francesco Cipollone
The cybersecurity landscape is evolving rapidly, demanding a threat-centric, risk-based approach to vulnerability management. With the U.S. favoring voluntary guidelines and Europe enforcing stricter regulations, organizations must navigate compliance while focusing on real exploitability over CVE volume. This blog delves into ASPM, cloud security, and regulatory intelligence, exploring how businesses can move beyond the traditional patch-and-pray model to address root cause vulnerabilities before they become critical risks.
Francesco Cipollone
Enhance your vulnerability management with Application Security Posture Management (ASPM) and reachability analysis. Discover how ASPM helps prioritize exploitable vulnerabilities, reduce security noise, and improve risk management. Learn about advanced techniques like code and container reachability, contextual deduplication, and Phoenix Security’s cutting-edge solutions for smarter, more effective application security.
Francesco Cipollone
The 2024 CWE Top 25 is out, and it’s no casual stroll through the vulnerability garden—especially when ransomware operators are busy planting path traversal exploits, while bug bounty hunters dig up endless injection flaws. In this blog, we examine the biggest risers, the most surprising dips, and the divergence between real-world exploit data and official CWE rankings. We’ll also reveal how AI-driven ASPM (Application Security Posture Management) and Phoenix Security’s contextual risk-based approach unite to help you focus on your most pressing threats. After all, not all flaws are created equal—some are simply more mischievous than others.
Francesco Cipollone
The 2024 CWE Top 25 list highlights the most dangerous software weaknesses. This article explores the methodology behind the list and how AI is improving threat detection. Discover how Application Security Posture Management (ASPM) and unified vulnerability management can help organizations address these critical threats.
Francesco Cipollone
Phoenix Security kicks off 2025 with recognition from Gartner Digital Markets through GetApp, solidifying its position as a leader in Application Security Posture Management (ASPM). Recognised for best customer success and support in ASPM, Phoenix Security empowers organisations with comprehensive, contextual vulnerability management and actionable cybersecurity solutions. With a user-friendly interface, robust real-time monitoring, and seamless risk prioritisation, the platform reduces alert fatigue while delivering precise remediation. As a cloud security leader, Phoenix Security continues to innovate, partnering with enterprises like LastPass and ClearBank to tackle the modern cybersecurity landscape head-on.
Francesco Cipollone
Derek

Derek Fisher

Head of product security at a global fintech

Derek Fisher – Head of product security at a global fintech. Speaker, instructor, and author in application security.

Derek is an award winning author of a children’s book series in cybersecurity as well as the author of “The Application Security Handbook.” He is a university instructor at Temple University where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led teams, large and small, at organizations in the healthcare and financial industries. He has built and matured information security teams as well as implemented organizational information security strategies to reduce the organizations risk.

Derek got his start in the hardware engineering space where he learned about designing circuits and building assemblies for commercial and military applications. He later pursued a computer science degree in order to advance a career in software development. This is where Derek was introduced to cybersecurity and soon caught the bug. He found a mentor to help him grow in cybersecurity and then pursued a graduate degree in the subject.

Since then Derek has worked in the product security space as an architect and leader. He has led teams to deliver more secure software in organizations from multiple industries. His focus has been to raise the security awareness of the engineering organization while maintaining a practice of secure code development, delivery, and operations.

In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

Jeevan Singh

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

christophe

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris

Chris Romeo

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

jim

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

The IKIGAI concept
x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
ShieldPRO