Unauthenticated Confluence RCE Vulnerability (CVE-2022-26134) Actively Exploited in the Wild

CVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability that could lead to remote code execution.
Updated on
April 19, 2023
Published on
June 13, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
 
Category: Vulnerability Intelligence Vulnerability Class: Remote Code Execution CVE ID: CVE-2022-26314 CVSS:3.0 Score: N/A

Executive Summary

THREAT IMPACT MITIGATION
  • Remote OGNL injection vulnerability resulting in RCE in all supported versions of Confluence Server and Data Center.
  • Actively exploited in the wild by threat actors.
  • First instance of exploitation was detected as a zero-day in the wild by Volexity.
  • Attackers can exploit this vulnerability to execute commands remotely.
  • The initial foothold can enable threat actors to further exploit networks, deploy ransomware, leak data, etc.
  • Loss of reputation, revenue, customer data, intellectual property, etc.
  • Update Confluence Server and Data Center versions to:
    • 7.4.17
    • 7.13.7
    • 7.14.3
    • 7.15.2
    • 7.16.4
    • 7.17.4
    • 7.18.1

Overview of CVE-2022-26314

  • CVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability that could lead to remote code execution.
  • Due to the public-facing nature of Confluence Servers, the vulnerability poses a high risk of exploitation.
  • To exploit the vulnerability, an attacker with network access simply needs to send a specially crafted request to a vulnerable Confluence instance to gain code execution on the target system.

Information from OSINT

  • There are at least 9,396 publicly reachable instances of Confluence on the internet.
[caption id="attachment_19536" align="alignnone" width="316"]Source: Shodan Source: Shodan[/caption]  
  • Mass scale exploitation for this vulnerability has been observed by multiple sources.
[caption id="attachment_19537" align="alignnone" width="1274"]Source: Cloudflare Source: Cloudflare[/caption]  

Information from DarkWeb

A significant amount of chatter was observed on cybercrime forums and channels regarding this vulnerability. [caption id="attachment_19538" align="alignnone" width="1350"]Cybercrime forum post discussing CVE-2022-26134 Cybercrime forum post discussing CVE-2022-26134[/caption]  

Technical Analysis

CVE-2022-26134 is an unauthenticated OGNL injection vulnerability that affects HTTP servers.
  • To exploit the vulnerability, the OGNL payload is placed in the URI of an HTTP request, using any valid or invalid HTTP method.
  • The attacker-provided URI is translated into a namespace which then finds its way down to OGNL expression evaluation.
curl -v http://{host}/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/ Encoded Payload
  • The above URL encoded exploit payload contains everything from the start of the content location to the instance of /.
${@java.lang.Runtime@getRuntime().exec("touch /tmp/r7")} Decoded Payload

Impact & Mitigation

Impact Mitigation
  • Attackers can use this vulnerability to execute commands remotely.
  • Since the flaw is easy to exploit, threat actors can target a large volume of victims and piggyback on it to deploy ransomware.
  • Potential loss of revenue, reputation, and intellectual property.
  • Update your Confluence Server and Data Center versions to:
    • 7.4.17
    • 7.13.7
    • 7.14.3
    • 7.15.2
    • 7.16.4
    • 7.17.4
    • 7.18.1

References

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations