research

SecurityTrails Blog · Jun 03 · by Aaron Soehnen, German Hoeffner

Action needed: Atlassian Confluence On-Premise RCE Vulnerability - CVE-2022-26134

Reading time: 4 minutes

If you are an administrator of an Atlassian Confluence On-Premise installation, please make sure to update your installation immediately. All current versions of Confluence Server & Data Center are affected.

With the recent F5 vulnerabilities released just a couple of weeks ago, customers of common enterprise products continue to face a dynamic threat landscape, demanding a high awareness to respond appropriately.

The current vulnerability CVE-2022-26134 in Confluence has been rated critical (9 out of 10 on the CVSSv3 scale) by Atlassian and was initially discovered by Volexity because they found it to be exploited in the wild. It allows anyone with web access to a Confluence instance to execute arbitrary commands and even gain complete access to the system if Confluence is run as root. Atlassian Confluence is a wiki-like enterprise knowledge base that integrates with other well-known Atlassian products like Jira and Trello. According to Atlassian, companies like Audi, Sony, and Zoom, as well as government institutions like NASA and the Department of Defense use Confluence.

What is CVE-2022-26134?

The current vulnerability is confirmed to affect versions 1.3.0 and higher of Confluence Server and Confluence Data Center. This includes all supported versions (7.4 and higher). From initial analysis, researchers assume that the systems have been exploited through command injection, which was used to load a malicious class file into memory. No concrete details of the exploit have been published yet. We could also not find any proof of concepts on Github, the open or dark web, but we will continue to update this post as the situation changes.

The malicious class file allows for arbitrary remote code execution, where an attacker is able to make the Confluence server process load, and execute any command. Neither a user account nor any other form of authentication on Confluence is needed. Generally, such exploits are used to place further malware such as web shells on the system, creating a permanent entry point to the system and network. If Confluence is run as root, this allows attackers to access and modify all data that is present on or accessible from the system. Volexity confirmed that attackers did, amongst other things, examine “/etc/passwd”, dump user tables from the local Confluence database and alter log files.

How to patch the CVE-2022-26134 Confluence vulnerability?

Although all On-Premise instances of Confluence are affected, Atlassian affirms that if your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable. On Friday 10 AM PDT (17:00 UTC) Atlassian released updated versions of Confluence 7.4 and 7.13 or higher, mitigating the vulnerability. Administrators are urged to update their instances as soon as possible. In cases where an update is not possible, Atlassian provided instructions to temporarily work around the issue for some versions. Until an instance is updated or patched, all access from the internet should be restricted.

Cloudflare also analyzed the exploit and added a Web Application Firewall (WAF) rule for all its customers hosting Confluence with Cloudflare WAF or Access to mitigate it. Before the patch was released, Atlassian noted that a WAF rule blocking all URLs containing ${ may reduce the risk of compromise.

How does the CVE-2022-26134 exploit work?

While no actual breakdown was given by the researchers, Veloxity noted that the exploit is similar to past command injection attacks against Java-based systems. This could be a reference to log4shell vulnerability. The WAF rule suggests that current Confluence installations accept certain GET parameters which are likely unsanitized. Then, possibly through direct system command invocation like in the recent F5 vulnerability, or through log4j-style JNDI remote class loading from an attacker-controlled host, the malicious class file is loaded into memory.

This class resembles a web-shell “base camp” to execute further commands without re-exploiting Confluence. The attackers used it to load various other dedicated web shells on the system.

Finding and fixing as a priority

CISA - The Cybersecurity and Infrastructure Security Agency added Atlassian Confluence to its list of known exploited vulnerabilities, following reports of this vulnerability being actively exploited. To get started on finding and mitigating the Atlassian Confluence vulnerability on your network, talk to our ASI expert team to get insights into your organization’s assets. Our quick response team is working on adding detection capabilities and we are closely monitoring the situation. We will update this post as new information becomes available.

Easily find and identify your organizations assets

X