Three Lessons from the Confluence Server Vulnerability (CVE-2022-26134)Download Case Study
Recently, Atlassian issued a major security notice to all of its users about a critical vulnerability, identified as CVE-2022-26134, in its widely-used Confluence Server solution. The vulnerability would allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance that could grant an attacker full command of the vulnerable server.
Atlassian has urged customers not to expose their Confluence Server instances to the internet until they have deployed the patch for this issue. But this will be a major problem as organizations need to make on-premises products available via the internet to provide remote access for their hybrid workforce.
The vulnerabilities found in this Confluence Server vulnerability exemplifies the need to rethink how access should be given. Below are the three lessons that can be learned from CVE-2022-26134.
1. Mitigate risks associated with over-entitlement
It goes without saying that your employees require access to certain sensitive data stored in corporate applications.. But this doesn’t mean users get access to everything once they are on the network. Regardless of whether the data is hosted on-premises or in the cloud, make sure the right employees have access to the right apps and data within these apps and nothing more. This access needs to be continuously monitored for changes in user behavior and risk level.
Virtual Private Network (VPN) solutions often grant wide access to your corporate apps and network and do not take into account the changing risk status of the user during the session. If an unauthorized user were to tunnel in through your VPN with compromised credentials, they could freely move within your infrastructure and get access to sensitive data. VPNs are not built with zero trust principles in mind since they lack the granular application context and also do not take into account context such as the user's risk score based on location, device, or their IP.
To grant your users the access they need without imposing additional risk on the entire organization, you need a remote access solution that adheres to Zero Trust principles . This requires the ability to provide precise access that dynamically adjusts based on the risk levels of the user and the device they use.
2. Continuously monitor to identify anomalous user behavior
Atlassian notes that this vulnerability could be exploited by unauthenticated users. The fact that this vulnerability was a zero-day up until its recent discovery shows the importance of being able to identify anomalous user behavior in your apps.
Without visibility into the context under which users and devices are accessing your apps and how they’re interacting with data inside of those apps, you could be missing critical signs of a breach — whether it’s the exploitation of a zero-day vulnerability or compromised employee credentials. The challenge is that many on-premises solutions can’t identify anomalous behavior in the same way that cloud-built solutions can, especially as threat actors increasingly use tactics that are more difficult to detect.
In order to detect modern threats and anomalous behavior within their on-premises apps, organizations need a way to extend the same strong security benefits of cloud-based SaaS solutions to legacy on-premises apps and data.
3. Cloak your on-premises resources from malicious actors
It’s interesting to note that Atlassian’s recommendation for organizations to protect from this vulnerability is by disabling web-enabled access to their Confluence Server instances until they’ve been able to issue the patch.
While this is technically a legitimate way to mitigate the risk of exploitation, it could cause major operational interruptions and bring productivity to a screeching halt if remote employees aren’t able to access the app. Most organizations can’t afford this blunt force approach and will likely keep the app web-enabled in spite of the associated risk. The issue is, when a vulnerability is made known or public, attackers will run scripts to automatically identify servers that are still vulnerable, which means they’re at risk of being breached. In this particular case, this vulnerability was a zero-day until its recent discovery, which means attackers could have been exploiting it for years.
Regardless of whether an on-premises server is currently in a vulnerable state or not, it shouldn’t be broadly discoverable on the internet. By cloaking your web-facing servers from the internet, you can protect them from discovery and subsequent exploitation by malicious actors while still letting legitimate users access the apps.
How Lookout Helps
Organizations across the globe will be scrambling to issue this critical patch to Confluence Server now that Atlassian has released it. As the issue is fixed, it’s important to take it as a learning opportunity and understand what you can do to proactively protect your organization against critical vulnerabilities like this one.
It’s completely normal for organizations to still have legacy software running on-premises. But to provide secure access for your remote workers, you need to leverage a context-aware Zero Trust Network Access (ZTNA) solution. This will ensure that on-premises apps behave and secure like cloud apps. A complete ZTNA will take into account your users’ behavior, the risk posture of the endpoint they use as well as the sensitivity level of the data they use.
This is why Lookout Security Service Edge (SSE) has technologies such as User and Entity Behavior Analytics (UEBA), Data Loss Prevention (DLP) and Enterprise Digital Rights Management (EDRM) built in. To learn more about how Lookout ZTNA helps IT and security teams implement cloud-caliber threat protection to legacy and on-premises apps, mitigate the risk of security gaps with uniform context-based data protection policies, and augment the value of VPN with granular access capabilities, visit our page on ZTNA.