| Category:
Vulnerability Intelligence |
Vulnerability Class:
Remote Code Execution |
CVE ID:
CVE-2022-26314 |
CVSS:3.0 Score:
N/A |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- Remote OGNL injection vulnerability resulting in RCE in all supported versions of Confluence Server and Data Center.
- Actively exploited in the wild by threat actors.
- First instance of exploitation was detected as a zero-day in the wild by Volexity.
|
- Attackers can exploit this vulnerability to execute commands remotely.
- The initial foothold can enable threat actors to further exploit networks, deploy ransomware, leak data, etc.
- Loss of reputation, revenue, customer data, intellectual property, etc.
|
- Update Confluence Server and Data Center versions to:
- 7.4.17
- 7.13.7
- 7.14.3
- 7.15.2
- 7.16.4
- 7.17.4
- 7.18.1
|
Overview of CVE-2022-26314
- CVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability that could lead to remote code execution.
- Due to the public-facing nature of Confluence Servers, the vulnerability poses a high risk of exploitation.
- To exploit the vulnerability, an attacker with network access simply needs to send a specially crafted request to a vulnerable Confluence instance to gain code execution on the target system.
Information from OSINT
- There are at least 9,396 publicly reachable instances of Confluence on the internet.
[caption id="attachment_19536" align="alignnone" width="316"]
Source: Shodan[/caption]
- Mass scale exploitation for this vulnerability has been observed by multiple sources.
[caption id="attachment_19537" align="alignnone" width="1274"]
Source: Cloudflare[/caption]
Information from DarkWeb
A significant amount of chatter was observed on cybercrime forums and channels regarding this vulnerability.
[caption id="attachment_19538" align="alignnone" width="1350"]
Cybercrime forum post discussing CVE-2022-26134[/caption]
Technical Analysis
CVE-2022-26134 is an unauthenticated OGNL injection vulnerability that affects HTTP servers.
- To exploit the vulnerability, the OGNL payload is placed in the URI of an HTTP request, using any valid or invalid HTTP method.
- The attacker-provided URI is translated into a namespace which then finds its way down to OGNL expression evaluation.
curl -v http://{host}/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/
Encoded Payload
- The above URL encoded exploit payload contains everything from the start of the content location to the instance of /.
${@java.lang.Runtime@getRuntime().exec("touch /tmp/r7")}
Decoded Payload
Impact & Mitigation
| Impact |
Mitigation |
- Attackers can use this vulnerability to execute commands remotely.
- Since the flaw is easy to exploit, threat actors can target a large volume of victims and piggyback on it to deploy ransomware.
- Potential loss of revenue, reputation, and intellectual property.
|
- Update your Confluence Server and Data Center versions to:
- 7.4.17
- 7.13.7
- 7.14.3
- 7.15.2
- 7.16.4
- 7.17.4
- 7.18.1
|
References
