Unauthenticated Confluence RCE Vulnerability (CVE-2022-26134) Actively Exploited in the Wild

CVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability that could lead to remote code execution.
Updated on
February 27, 2023
Published on
June 13, 2022
Read time
5
Subscribe to the latest industry news, technologies and resources.
 
Category: Vulnerability Intelligence Vulnerability Class: Remote Code Execution CVE ID: CVE-2022-26314 CVSS:3.0 Score: N/A

Executive Summary

THREAT IMPACT MITIGATION
  • Remote OGNL injection vulnerability resulting in RCE in all supported versions of Confluence Server and Data Center.
  • Actively exploited in the wild by threat actors.
  • First instance of exploitation was detected as a zero-day in the wild by Volexity.
  • Attackers can exploit this vulnerability to execute commands remotely.
  • The initial foothold can enable threat actors to further exploit networks, deploy ransomware, leak data, etc.
  • Loss of reputation, revenue, customer data, intellectual property, etc.
  • Update Confluence Server and Data Center versions to:
    • 7.4.17
    • 7.13.7
    • 7.14.3
    • 7.15.2
    • 7.16.4
    • 7.17.4
    • 7.18.1

Overview of CVE-2022-26314

  • CVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability that could lead to remote code execution.
  • Due to the public-facing nature of Confluence Servers, the vulnerability poses a high risk of exploitation.
  • To exploit the vulnerability, an attacker with network access simply needs to send a specially crafted request to a vulnerable Confluence instance to gain code execution on the target system.

Information from OSINT

  • There are at least 9,396 publicly reachable instances of Confluence on the internet.
[caption id="attachment_19536" align="alignnone" width="316"]Source: Shodan Source: Shodan[/caption]  
  • Mass scale exploitation for this vulnerability has been observed by multiple sources.
[caption id="attachment_19537" align="alignnone" width="1274"]Source: Cloudflare Source: Cloudflare[/caption]  

Information from DarkWeb

A significant amount of chatter was observed on cybercrime forums and channels regarding this vulnerability. [caption id="attachment_19538" align="alignnone" width="1350"]Cybercrime forum post discussing CVE-2022-26134 Cybercrime forum post discussing CVE-2022-26134[/caption]  

Technical Analysis

CVE-2022-26134 is an unauthenticated OGNL injection vulnerability that affects HTTP servers.
  • To exploit the vulnerability, the OGNL payload is placed in the URI of an HTTP request, using any valid or invalid HTTP method.
  • The attacker-provided URI is translated into a namespace which then finds its way down to OGNL expression evaluation.
curl -v http://{host}/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/ Encoded Payload
  • The above URL encoded exploit payload contains everything from the start of the content location to the instance of /.
${@java.lang.Runtime@getRuntime().exec("touch /tmp/r7")} Decoded Payload

Impact & Mitigation

Impact Mitigation
  • Attackers can use this vulnerability to execute commands remotely.
  • Since the flaw is easy to exploit, threat actors can target a large volume of victims and piggyback on it to deploy ransomware.
  • Potential loss of revenue, reputation, and intellectual property.
  • Update your Confluence Server and Data Center versions to:
    • 7.4.17
    • 7.13.7
    • 7.14.3
    • 7.15.2
    • 7.16.4
    • 7.17.4
    • 7.18.1

References

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Related Intelligence Posts
No items found.