Hello and welcome to the Tuesday, November 7, 2020,

edition of the Sands and its Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

After hearing about some exploits being released for the latest Latian Confluence

Data Center and Server vulnerability.

I took a look today at our data to see if we do actually see any exploitation attempts against this vulnerability.

This is CVE 202023-2518, and the URLs involved here are all starting with JSON slash setup dash restore.

There are sort of three different here, one local and also progress URL that's being used here.

Apparently it's also required that you are using an

ex-edlation token header with a no check parameter. On GitHub you'll easily find

three different exploits for this one ability. I haven't tested them yet. They do look

legit. One is a bit more complex, appears to add some

additional functionality, including looking for another URL slash rest slash API slash user.

The first exploit attempt we have seen came from 206-189-179-132.

This is a Digital Ocean IP, and haven't really seen much from that IP before back in

March.

They also looked for slash T4, which I believe is associated with WebLogic.

Now, this initial attempt I posted a complete request in the diary that I wrote today about

this does actually not include the token header.

So this may just be a quick check if that particular system is actually running at least and whether or not that URL is

reachable.

There are then a couple of other URLs that have exploited this vulnerability in the last few

...