<img alt="" src="https://secure.leadforensics.com/89462.png" style="display:none;">

Nexusguard Blog

Cybersecurity best practices and DDoS defence strategies

Latest Stories

Featured Stories

Nexusguard Research
By
June 22, 2022

CVE-2022-26134: Zero-Day Vulnerability in Atlassian Confluence Server and Data Center

About the Vulnerability

 

On June 2, Volexity claimed that they had discovered unusual behavior on two internet-facing servers that were running Atlassian's Confluence Server application. Volexity discovered that the initial foothold was the consequence of a remote code execution vulnerability in Confluence Server and Data Center after analyzing the intrusion. The facts were submitted to Atlassian on May 31, and the issue has now been assigned as CVE-2022-26134.

 

 

The impact of CVE-2022-26134

 

According to Atlassian's security advisory, the attack appears to be an unauthenticated, remote code execution vulnerability. Threat actors could bypass authentication and run arbitrary code on unpatched systems if the vulnerability is exploited.

 

The vulnerability is an Object-Graph Navigation Language (OGNL) injection.

 

The malicious payload will be placed in the URI of an HTTP request by a threat actor attempting to exploit this vulnerability. Despite the fact that most Proofs-of-Concept (POCs) employ the GET method, it appears that any request method, including an incorrect one, will suffice. 

 

The simplest form of a URI containing malicious payload will be:

When decoding the URL, we receive the following exploitation:

which will create a new file in the /tmp/ directory.

 

This example depicts a circumstance in which a threat actor does not require an output from the compromised server. But threat actors that want to exploit this vulnerability and also want the response from the compromised server, can use the X-Cmd-Response header.

 

 

Sample HTTP Request

 

 

Sample HTTP Response

After successful exploitation, an attacker could then implant JSP webshells such as Behinder and Chopper.

 

Confluence Server and Data Center versions after 1.3.0 are affected by this vulnerability.

 

 

Mitigating CVE-2022-26134

 

Atlassian released versions  7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue. The security advisory provides full details on how to update your vulnerable Confluence server.

 

 

Nexusguard’s response to CVE-2022-26134

 

The Nexusguard WAF is already updated with the new rule that would effectively block any attempt to exploit the Atlassian vulnerability. For our customers that are using Atlassian’s products and services or might be concerned about their exposure to this vulnerability should reach out to the Nexusguard Service Team to review their WAF policies.

 

INDICATORS OF COMPROMISE

Type

IoC

IPv4

154.146.34.145

IPv4

154.16.105.147

IPv4

156.146.34.46

IPv4

156.146.34.52

IPv4

156.146.34.9

IPv4

156.146.56.136

IPv4

198.147.22.148

IPv4

198.147.22.148

IPv4

221.178.126.244

IPv4

45.43.19.91

IPv4

59.163.248.170

IPv4

64.64.228.239

IPv4

66.115.182.102

IPv4

66.115.182.111

IPv4

67.149.61.16

IPv4

98.32.230.38

IPv4

154.146.34.145

FileHash-SHA1

80b327ec19c7d14cc10511060ed3a4abffc821af

FileHash-SHA1

4c02c3a150de6b70d6fca584c29888202cc1deef

FileHash-MD5

f8df4dd46f02dc86d37d46cf4793e036

FileHash-MD5

ea18fb65d92e1f0671f23372bacf60e7

 

 

 

Take immediate action to safeguard your organization, clients and data

 

Due to the gravity of this vulnerability, anyone impacted and unable to update their Confluence servers should seek specialist assistance immediately. Nexusguard’s Application Protection provides easy-to-implement and effective protection against all forms of L3-L4 and L7 attacks including all potential zero-day attacks.

 

For further information, please read about Nexusguard’s Application Protection or reach out to us via our Emergency Contact Form.

 

Nexusguard platforms enforce strict inspections and undergo rigorous security hardening to ensure there is no risk of high-severity vulnerabilities.