June 22, 2022
About the Vulnerability
On June 2, Volexity claimed that they had discovered unusual behavior on two internet-facing servers that were running Atlassian's Confluence Server application. Volexity discovered that the initial foothold was the consequence of a remote code execution vulnerability in Confluence Server and Data Center after analyzing the intrusion. The facts were submitted to Atlassian on May 31, and the issue has now been assigned as CVE-2022-26134.
The impact of CVE-2022-26134
According to Atlassian's security advisory, the attack appears to be an unauthenticated, remote code execution vulnerability. Threat actors could bypass authentication and run arbitrary code on unpatched systems if the vulnerability is exploited.
The vulnerability is an Object-Graph Navigation Language (OGNL) injection.
The malicious payload will be placed in the URI of an HTTP request by a threat actor attempting to exploit this vulnerability. Despite the fact that most Proofs-of-Concept (POCs) employ the GET method, it appears that any request method, including an incorrect one, will suffice.
The simplest form of a URI containing malicious payload will be:
When decoding the URL, we receive the following exploitation:
which will create a new file in the /tmp/ directory.
This example depicts a circumstance in which a threat actor does not require an output from the compromised server. But threat actors that want to exploit this vulnerability and also want the response from the compromised server, can use the X-Cmd-Response header.
Sample HTTP Request
Sample HTTP Response
After successful exploitation, an attacker could then implant JSP webshells such as Behinder and Chopper.
Confluence Server and Data Center versions after 1.3.0 are affected by this vulnerability.
Mitigating CVE-2022-26134
Atlassian released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue. The security advisory provides full details on how to update your vulnerable Confluence server.
Nexusguard’s response to CVE-2022-26134
The Nexusguard WAF is already updated with the new rule that would effectively block any attempt to exploit the Atlassian vulnerability. For our customers that are using Atlassian’s products and services or might be concerned about their exposure to this vulnerability should reach out to the Nexusguard Service Team to review their WAF policies.
INDICATORS OF COMPROMISE
|
Type |
IoC |
|
IPv4 |
154.146.34.145 |
|
IPv4 |
154.16.105.147 |
|
IPv4 |
156.146.34.46 |
|
IPv4 |
156.146.34.52 |
|
IPv4 |
156.146.34.9 |
|
IPv4 |
156.146.56.136 |
|
IPv4 |
198.147.22.148 |
|
IPv4 |
198.147.22.148 |
|
IPv4 |
221.178.126.244 |
|
IPv4 |
45.43.19.91 |
|
IPv4 |
59.163.248.170 |
|
IPv4 |
64.64.228.239 |
|
IPv4 |
66.115.182.102 |
|
IPv4 |
66.115.182.111 |
|
IPv4 |
67.149.61.16 |
|
IPv4 |
98.32.230.38 |
|
IPv4 |
154.146.34.145 |
|
FileHash-SHA1 |
80b327ec19c7d14cc10511060ed3a4abffc821af |
|
FileHash-SHA1 |
4c02c3a150de6b70d6fca584c29888202cc1deef |
|
FileHash-MD5 |
f8df4dd46f02dc86d37d46cf4793e036 |
|
FileHash-MD5 |
ea18fb65d92e1f0671f23372bacf60e7 |
Take immediate action to safeguard your organization, clients and data
Due to the gravity of this vulnerability, anyone impacted and unable to update their Confluence servers should seek specialist assistance immediately. Nexusguard’s Application Protection provides easy-to-implement and effective protection against all forms of L3-L4 and L7 attacks including all potential zero-day attacks.
For further information, please read about Nexusguard’s Application Protection or reach out to us via our Emergency Contact Form.
.jpg)
