Critical RCE Confluence Server CVE-2022-26134
Here are again, Atlassian has made us all aware of the current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server and full disclosure hasn’t been released for CVE-2022-26134. Metasploit has released a plugin and active POC exists for testing purposes only. OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.
Date: June 3rd 2022
Updated: June 4th 2022
Risk: Critical
Severity: Critical
Affected Products
- Confluence Server
- Confluence Data Center
Remediation
Atlassian has released a patch for all versions of Confluence after version 1.3.0
Fix Version
- 7.4.17
- 7.13.7
- 7.14.3
- 7.15.2
- 7.16.4
- 7.17.4
- 7.18.1
You can find the complete update and remediation instructions published on Atlassian’s website
Palo Alto has released Version 8577 of Applications and Threats Content to cover critical vulnerability in Atlassian Confluence (CVE-2022-26134) that is being actively exploited in the wild.
| Severity | ID | Attack Name | CVE ID | Category | Default Action | Minimum PAN-OS Version | Maximum PAN-OS Version |
|---|---|---|---|---|---|---|---|
| critical | 92632 | Atlassian Confluence Remote Code Execution Vulnerability | CVE-2022-26134 | code-execution | reset-server | 8.1.0 |
We continue to recommend a Defence in Depth approach where WAF and Next-Generation Firewall is being used as a layered defence approach. Maintaining the suggested WAF below can only enhance security.
${I also suggest you review your logs given this is a JNDI syntax reference the scope or history of this zero-day is still unknown and how long this has been actively exploited. The following Indicators of Compromise have been identified and the source can be found here
IP Address
| 156.146.34.46 | ipaddress | IP observed interacting with or exploiting Confluence servers in May 2022 |
| 156.146.34.9 | ipaddress | IP observed interacting with or exploiting Confluence servers in May 2022 |
| 156.146.56.136 | ipaddress | IP observed interacting with or exploiting Confluence servers in May 2022 |
| 198.147.22.148 | ipaddress | IP observed interacting with or exploiting Confluence servers in May 2022 |
| 45.43.19.91 | ipaddress | IP observed interacting with or exploiting Confluence servers in May 2022 |
| 66.115.182.102 | ipaddress | IP observed interacting with or exploiting Confluence servers in May 2022 |
| 66.115.182.111 | ipaddress | IP observed interacting with or exploiting Confluence servers in May 2022 |
| 67.149.61.16 | ipaddress | IP observed interacting with or exploiting Confluence servers in May 2022 |
| 154.16.105.147 | ipaddress | IP observed interacting with or exploiting Confluence servers in May 2022 |
| 64.64.228.239 | ipaddress | IP observed interacting with or exploiting Confluence servers in May 2022 |
| 156.146.34.52 | ipaddress | IP observed interacting with or exploiting Confluence servers in May 2022 |
| 154.146.34.145 | ipaddress | IP observed interacting with or exploiting Confluence servers in May 2022 |
| 221.178.126.244 | ipaddress | IP observed interacting with or exploiting Confluence servers in May 2022 |
| 59.163.248.170 | ipaddress | IP observed interacting with or exploiting Confluence servers in May 2022 |
| 98.32.230.38 | ipaddress | IP observed interacting with or exploiting Confluence servers in May 2022 |
Chopper Webshell
| Filename | <redacted>.jsp |
| File Size | 8624 bytes |
| MD5 | ea18fb65d92e1f0671f23372bacf60e7 |
| SHA1 | 80b327ec19c7d14cc10511060ed3a4abffc821af |
File Upload Webshell
| Filename | noop.jsp |
| File Size | 537 bytes |
| MD5 | f8df4dd46f02dc86d37d46cf4793e036 |
| SHA1 | 4c02c3a150de6b70d6fca584c29888202cc1deef |
Reference
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
https://github.com/Nwqda/CVE-2022-26134