Overview
On June 2nd, Atlassian published a security advisory for a critical vulnerability (CVE-2022-26134) that has been allowing unauthenticated attackers to execute arbitrary code in Atlassian's Confluence Server and Data Center. This unpatched vulnerability was impacting all supported versions of Confluence Server and Data Center.
For comparison, these attacks are similar to those seen in Apache Struts software more than ten years ago.
The flaw allowing attackers to execute arbitrary code exists in Java's Object Graph Navigation Language (OGNL). This flaw takes advantage of the java.lang.Runtime@getRuntime().exec() function, so exploiting the vulnerability is as simple as sending an HTTP request with ${@java.lang.Runtime@getRuntime().exec("cat /etc/passwd")} as the URL path.
Atlassian has since patched this vulnerability and recommends that users download the latest versions of the software from their website. More information on these fixes and patches can be found in the security advisory mentioned above.
Affected Versions
|
1.3.0 |
7.4.17 |
|
7.13.0 |
7.13.7 |
|
7.14.0 |
7.14.3 |
|
7.15.0 |
7.15.2 |
|
7.16.0 |
7.16.4 |
|
7.17.0 |
7.17.4 |
|
7.18.0 |
7.18.1 |
Mitigation at Stackpath
First attempts at exploiting CVE-2022-26134 first appeared on June 3rd 20:18 UTC, and were immediately blocked as a result of our WAF rules.