Unauthenticated Confluence RCE Vulnerability (CVE-2022-26134) Actively Exploited in the Wild

Summary

CVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability that could lead to remote code execution.
 
Category: Vulnerability Intelligence Vulnerability Class: Remote Code Execution CVE ID: CVE-2022-26314 CVSS:3.0 Score: N/A

Executive Summary

THREAT IMPACT MITIGATION
  • Remote OGNL injection vulnerability resulting in RCE in all supported versions of Confluence Server and Data Center.
  • Actively exploited in the wild by threat actors.
  • First instance of exploitation was detected as a zero-day in the wild by Volexity.
  • Attackers can exploit this vulnerability to execute commands remotely.
  • The initial foothold can enable threat actors to further exploit networks, deploy ransomware, leak data, etc.
  • Loss of reputation, revenue, customer data, intellectual property, etc.
  • Update Confluence Server and Data Center versions to:
    • 7.4.17
    • 7.13.7
    • 7.14.3
    • 7.15.2
    • 7.16.4
    • 7.17.4
    • 7.18.1

Overview of CVE-2022-26314

  • CVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability that could lead to remote code execution.
  • Due to the public-facing nature of Confluence Servers, the vulnerability poses a high risk of exploitation.
  • To exploit the vulnerability, an attacker with network access simply needs to send a specially crafted request to a vulnerable Confluence instance to gain code execution on the target system.

Information from OSINT

  • There are at least 9,396 publicly reachable instances of Confluence on the internet.
Source: Shodan
Source: Shodan
 
  • Mass scale exploitation for this vulnerability has been observed by multiple sources.
Source: Cloudflare
Source: Cloudflare
 

Information from DarkWeb

A significant amount of chatter was observed on cybercrime forums and channels regarding this vulnerability.
Cybercrime forum post discussing CVE-2022-26134
Cybercrime forum post discussing CVE-2022-26134
 

Technical Analysis

CVE-2022-26134 is an unauthenticated OGNL injection vulnerability that affects HTTP servers.
  • To exploit the vulnerability, the OGNL payload is placed in the URI of an HTTP request, using any valid or invalid HTTP method.
  • The attacker-provided URI is translated into a namespace which then finds its way down to OGNL expression evaluation.
curl -v http://{host}/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/ Encoded Payload
  • The above URL encoded exploit payload contains everything from the start of the content location to the instance of /.
${@[email protected]().exec("touch /tmp/r7")} Decoded Payload

Impact & Mitigation

Impact Mitigation
  • Attackers can use this vulnerability to execute commands remotely.
  • Since the flaw is easy to exploit, threat actors can target a large volume of victims and piggyback on it to deploy ransomware.
  • Potential loss of revenue, reputation, and intellectual property.
  • Update your Confluence Server and Data Center versions to:
    • 7.4.17
    • 7.13.7
    • 7.14.3
    • 7.15.2
    • 7.16.4
    • 7.17.4
    • 7.18.1

References

Table of Contents

Request an easy and customized demo for free