Summary
Atlassian, on 2nd June 2022 published an advisory for CVE-2022-26134. It is a critical unauthenticated remote code execution vulnerability on Confluence Server and Confluence Data Center. According to Atlassian, all the supported versions of Confluence Server and Data Center are affected.
CVE-2022-26314 is an unauthenticated and remote OGNL (Object-Graph Navigation Language) vulnerability resulting in code execution in the context of Confluece Server. So if your Confluence Server is running with root privileges, the attacker could have entire control of the Server. Also it's a general recommendation not to run Confluence Server (or any other Servers) with root privileges. Given the nature of vulnerability, internet facing Confluence servers are at very high risk.
Suggestion
Organizations who has an internet facing Confluence or Data Server may want to consider moving behind a VPN. That would protect you from outsiders and the Attack Vector will be Local Network, So only an insider would be able to exploit the vulnerability.
OGNL payloads will generally look like "${@java.lang.Runtime@getRuntime().exec("touch /tmp/r7")}", So if you're looking for any evidence of exploitation for your Confluence servers, we'd suggest you look into log files for "${" string. According to Atlassian, their Cloud sites are protected. Atlassian quotes "If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable. Our investigations have not found any evidence of exploitation of Atlassian Cloud."
But if you have an inhouse Confluence Server or hosted it yourself, you'd want to upgrade Confluence immediately, if that's not possible, then as a temporary workaround, you can mitigate CVE-2022-26134 by updating some files mentioned in official Atlassian advisory.
Fixed Version
S7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1
Resources
- Confluence Security Advisory 2022-06-02
- Active Exploitation of Confluence CVE-2022-26134
Authors: Narendra Kumawat, Mahesh Saptarshi
For more information contact:contact@cybersecurist.com