The recent release of a report by the Cybersecurity and Infrastructure Security Agency (CISA) has brought attention to the vulnerabilities most frequently exploited in 2022. As an entity closely connected to a substantial portion of the Internet, Cloudflare possesses a unique vantage point that enables the observation of how the Common Vulnerabilities and Exposures (CVEs) spotlighted by CISA manifest as exploits on the Internet.
Here is a glimpse into the agency’s findings.
From the agency’s analysis, it is evident that two CVEs highlighted in the CISA report significantly contribute to the bulk of attack traffic witnessed in the wild: Log4J and Atlassian Confluence Code Injection. While the CISA/CSA report encompasses a broader array of vulnerabilities, their data underscores a substantial divergence in the volume of exploits between the top two CVEs and the rest.
Key Vulnerabilities of 2022
Sorting vulnerabilities by the quantity of requests identified through WAF Managed Rules tailored for the specific CVEs mentioned in the CISA report, we present a ranking of these vulnerabilities by prevalence:
- Log4J: Improper Input Validation leading to Remote Code Execution in Apache Log4j logging library (CVE-2021-44228)
- Atlassian Confluence Code Injection: Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability (CVE-2022-26134)
- Microsoft Exchange servers: Combination of three vulnerabilities for Remote Code Execution, known as ProxyShell (CVE-2021-34473, CVE-2021-31207, CVE-2021-34523)
- BIG-IP F5: Potential unauthorized access enabling arbitrary code execution (CVE-2022-1388)
- VMware: Fusion of two vulnerabilities for remote Root access (CVE-2022-22954, CVE-2022-22960)
- Atlassian Confluence 0-day: Remote Code Execution Issue in Confluence Server and Data Center (CVE-2021-26084)
Leading the pack is Log4J (CVE-2021-44228), a somewhat unsurprising outcome given its potential for significant impact — culminating in complete remote compromise.
Following closely is the Atlassian Confluence Code Injection (CVE-2022-26134).
Occupying the third spot, we find the amalgamation of three CVEs targeting Microsoft Exchange servers (CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523).
Fourth is the BIG-IP F5 exploit (CVE-2022-1388), trailed by a pair of VMware vulnerabilities (CVE-2022-22954 and CVE-2022-22960).
The list concludes with another Atlassian Confluence 0-day (CVE-2021-26084).
A comparison of attack volumes for these groups reveals the prominence of one vulnerability. Log4J emerges as significantly more exploited than its closest competitor (Atlassian Confluence Code Injection), while the remaining CVEs exhibit lower attack volumes. Although the CISA/CSA report lumps these vulnerabilities together, a closer examination suggests two distinct groups: a dominant CVE (Log4J), and a secondary cluster of comparable 0-day exploits, each with similar attack volumes.
A Deeper Look into Key CVEs
The notorious CVE-2021-44228, commonly referred to as the Log4j vulnerability, commands the first position in our listing. This flaw disrupted the cybersecurity landscape in 2021 and continues to be exploited extensively.
Cloudflare acted swiftly, releasing new managed rules shortly after the vulnerability's public revelation. The subsequent days saw additional detections introduced. Cloudflare’s response took shape in three stages:
- Emergency release: December 10, 2021
- Emergency release: December 14, 2021
- Emergency release: December 16, 2021
The deployed rules targeted four categories of exploit patterns:
- Log4j Headers: Attack pattern in HTTP header
- Log4j Body: Attack pattern in HTTP Body
- Log4j URI: Attack Pattern in URI
- Log4j Body Obfuscation: Obfuscated Attack pattern
CVE-2022-26134: Atlassian Confluence Code Injection
The second most exploited CVE in 2022, CVE-2022-26134, pertains to a code injection vulnerability in Atlassian Confluence. This vulnerability posed a significant threat, underscoring the critical role of knowledge-based systems within organizations. Cloudflare’s WAF team responded with two emergency releases to safeguard its clients:
Both Log4J and Confluence Code Injection displayed seasonality, marked by heightened attack volumes from September to November 2022, until March 2023. This temporal pattern likely reflects ongoing attacker campaigns.
CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523: Microsoft Exchange SSRF and RCE Vulnerabilities
Three undisclosed vulnerabilities converged to orchestrate a Remote Code Execution (RCE) 0-day attack targeting Microsoft Exchange servers. Cloudflare’s WAF swiftly responded with a rule released on March 3, 2022, designed to counter this vulnerability.
CVE-2022-1388: RCE in BIG-IP F5
CVE-2022-1388 denotes a security vulnerability exploitable by an unauthenticated adversary with network connectivity to BIG-IP systems. Cloudflare promptly deployed a rule with the Emergency Release: May 5, 2022, to detect this issue.
While exploitation patterns were generally consistent, a spike was notable in late June 2023.
CVE-2022-22954: VMware Workspace ONE Access and Identity Manager Server-side Template Injection Remote Code Execution Vulnerability
This vulnerability allowed remote triggering of a server-side template injection, potentially culminating in remote code execution. Cloudflare addressed this by releasing a rule on May 5, 2022.
CVE-2021-26084: Confluence Server Webwork OGNL injection
An OGNL injection vulnerability was identified, enabling arbitrary code execution on a Confluence Server or Data Center instance. Cloudflare responded with an emergency release on September 9, 2022. Notably, this CVE witnessed fewer exploits compared to others.
Recommendations for Enhanced Security
It is advisable for server administrators to promptly update their software upon the availability of fixes. Cloudflare users, including those on the free tier, can benefit from new rules addressing CVEs and 0-day threats, updated weekly within the Managed Ruleset. High-risk CVEs might even prompt emergency releases.
In our blog, we post technology-related articles weekly. Follow us on Facebook and Instagram to get notifications about updates.