Unveiling noteworthy exploited vulnerabilities of 2022

Unveiling noteworthy exploited vulnerabilities of 2022

The recent release of a report by the Cybersecurity and Infrastructure Security Agency (CISA) has brought attention to the vulnerabilities most frequently exploited in 2022. As an entity closely connected to a substantial portion of the Internet, Cloudflare possesses a unique vantage point that enables the observation of how the Common Vulnerabilities and Exposures (CVEs) spotlighted by CISA manifest as exploits on the Internet.

Here is a glimpse into the agency’s findings.

From the agency’s analysis, it is evident that two CVEs highlighted in the CISA report significantly contribute to the bulk of attack traffic witnessed in the wild: Log4J and Atlassian Confluence Code Injection. While the CISA/CSA report encompasses a broader array of vulnerabilities, their data underscores a substantial divergence in the volume of exploits between the top two CVEs and the rest.

Key Vulnerabilities of 2022

Sorting vulnerabilities by the quantity of requests identified through WAF Managed Rules tailored for the specific CVEs mentioned in the CISA report, we present a ranking of these vulnerabilities by prevalence:

  • Log4J: Improper Input Validation leading to Remote Code Execution in Apache Log4j logging library (CVE-2021-44228)
  • Atlassian Confluence Code Injection: Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability (CVE-2022-26134)
  • Microsoft Exchange servers: Combination of three vulnerabilities for Remote Code Execution, known as ProxyShell (CVE-2021-34473, CVE-2021-31207, CVE-2021-34523)
  • BIG-IP F5: Potential unauthorized access enabling arbitrary code execution (CVE-2022-1388)
  • VMware: Fusion of two vulnerabilities for remote Root access (CVE-2022-22954, CVE-2022-22960)
  • Atlassian Confluence 0-day: Remote Code Execution Issue in Confluence Server and Data Center (CVE-2021-26084)

Leading the pack is Log4J (CVE-2021-44228), a somewhat unsurprising outcome given its potential for significant impact — culminating in complete remote compromise. 

Following closely is the Atlassian Confluence Code Injection (CVE-2022-26134).

Occupying the third spot, we find the amalgamation of three CVEs targeting Microsoft Exchange servers (CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523). 

Fourth is the BIG-IP F5 exploit (CVE-2022-1388), trailed by a pair of VMware vulnerabilities (CVE-2022-22954 and CVE-2022-22960). 

The list concludes with another Atlassian Confluence 0-day (CVE-2021-26084).

A comparison of attack volumes for these groups reveals the prominence of one vulnerability. Log4J emerges as significantly more exploited than its closest competitor (Atlassian Confluence Code Injection), while the remaining CVEs exhibit lower attack volumes. Although the CISA/CSA report lumps these vulnerabilities together, a closer examination suggests two distinct groups: a dominant CVE (Log4J), and a secondary cluster of comparable 0-day exploits, each with similar attack volumes.

A Deeper Look into Key CVEs

CVE-2021-44228: Log4J

The notorious CVE-2021-44228, commonly referred to as the Log4j vulnerability, commands the first position in our listing. This flaw disrupted the cybersecurity landscape in 2021 and continues to be exploited extensively.

Cloudflare acted swiftly, releasing new managed rules shortly after the vulnerability's public revelation. The subsequent days saw additional detections introduced. Cloudflare’s response took shape in three stages:

The deployed rules targeted four categories of exploit patterns:

  • Log4j Headers: Attack pattern in HTTP header
  • Log4j Body: Attack pattern in HTTP Body
  • Log4j URI: Attack Pattern in URI
  • Log4j Body Obfuscation: Obfuscated Attack pattern

CVE-2022-26134: Atlassian Confluence Code Injection

The second most exploited CVE in 2022, CVE-2022-26134, pertains to a code injection vulnerability in Atlassian Confluence. This vulnerability posed a significant threat, underscoring the critical role of knowledge-based systems within organizations. Cloudflare’s WAF team responded with two emergency releases to safeguard its clients:

Emergency Release: June 4, 2022

Emergency Release: June 7, 2022

Both Log4J and Confluence Code Injection displayed seasonality, marked by heightened attack volumes from September to November 2022, until March 2023. This temporal pattern likely reflects ongoing attacker campaigns.

CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523: Microsoft Exchange SSRF and RCE Vulnerabilities

Three undisclosed vulnerabilities converged to orchestrate a Remote Code Execution (RCE) 0-day attack targeting Microsoft Exchange servers. Cloudflare’s WAF swiftly responded with a rule released on March 3, 2022, designed to counter this vulnerability.

CVE-2022-1388: RCE in BIG-IP F5

CVE-2022-1388 denotes a security vulnerability exploitable by an unauthenticated adversary with network connectivity to BIG-IP systems. Cloudflare promptly deployed a rule with the Emergency Release: May 5, 2022, to detect this issue.

While exploitation patterns were generally consistent, a spike was notable in late June 2023.

CVE-2022-22954: VMware Workspace ONE Access and Identity Manager Server-side Template Injection Remote Code Execution Vulnerability

This vulnerability allowed remote triggering of a server-side template injection, potentially culminating in remote code execution. Cloudflare addressed this by releasing a rule on May 5, 2022

CVE-2021-26084: Confluence Server Webwork OGNL injection

An OGNL injection vulnerability was identified, enabling arbitrary code execution on a Confluence Server or Data Center instance. Cloudflare responded with an emergency release on September 9, 2022. Notably, this CVE witnessed fewer exploits compared to others.

Recommendations for Enhanced Security

It is advisable for server administrators to promptly update their software upon the availability of fixes. Cloudflare users, including those on the free tier, can benefit from new rules addressing CVEs and 0-day threats, updated weekly within the Managed Ruleset. High-risk CVEs might even prompt emergency releases. 

In our blog, we post technology-related articles weekly. Follow us on Facebook and Instagram to get notifications about updates.

Reading next

Navigating work transformation: highlights from Adobe's State of Work 2023 report
Top Technical and eCommerce Events in 2024 to Pay Attention To

Interested in a specific business & technology topic and looking for an article in our blog but haven't found one yet?

If you haven't come across an article that matches your query, feel free to suggest the topic to us, and we'll consider featuring it in our blog. Share your suggestion in the form below, and we'll be sure to review your request.

Talk with us

If you have any questions or problems in your business that can be solved with technical solutions, just let us know. We'll do everything we can to help you.