On June 2nd, Atlassian released a security advisory about another remote code execution vulnerability (CVE-2022-26134) affecting all on- premises versions of Confluence Server and Confluence Data Center. The initial report to Atlassian came from Veloxity after they discovered it in a forensics investigation. After the Atlassian release and discussion about active exploitation in the wild, the Cybersecurity & Infrastructure Security Agency (CISA) issued a warning for users to immediately block all traffic to affected systems.
The vulnerability could be exploited by an anonymous/unauthenticated attacker to inject malicious Object-Graph Navigation Language (OGNL) commands. This carries a very high-risk exposure—as the CVE is still in a RESERVED state, there is currently no mapped CVSS score, but Contrast Labs expects this to be critical and 9.8 or above (like the previously discovered OGNL issue released last year CVE-2021-26084). This pre-authenticated nature of this vulnerability itself and the fact that there are a lot of older, unpatched, on-premises versions of Confluence floating around make this a very serious problem.
What Does the Exploit Look Like?
CVE-2022-26134 is an OGNL injection vulnerability that allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.
An attacker can exploit this vulnerability—easily bypassing web application firewall (WAF) defenses—to take control of an unpatched system. When this happens, an attacker gains “godlike” access to Confluence. They can access anything else stored on that box—including data, tickets, attachments, and keys to things like AWS infrastructure. Lateral movement beyond the server, across the network and other applications, is even possible.
Has the Confluence Vulnerability Been Patched?
The vulnerability was recently discovered by Veloxity over the Memorial Day weekend during a forensics investigation. I, it was immediately reported to Atlassian. In this case Atlassian reported to the general public before a fix was released, most likely due to the criticality of the vulnerability, ease of exploit, and the fact it was under active exploitation. Atlassian reported the issue to the public on June 2nd and routinely updated their mitigation advice. This mitigation started with recommending removing any on premises instances from the internet or turning them off. Then mitigation was changed to replace a specific Java jar file, and finally to releasing patches. The patches released are versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1.
Once attackers are tipped off about a CVE, it becomes a race against time to get all the affected systems patched. Even then, rare instances still exist where patches can also be compromised.
How Contrast Provided Automatic AirCover for Customers
With this particular vulnerability in Confluence, there were really two major windows of risk exposure. First, even while the vulnerability remained an unknown threat to the public and the risk of an attack was low, a hacker had obviously discovered the issue and was exploiting it. Second, after the CVE announcement, but before patches could be installed, the likelihood of an attack skyrocketed—with the period between patching and exploit becoming a race against time. To make matters worse, a public exploit code was released on June 3rd. As this CVE is an example, the time frame between vulnerability detection and notification and patching can be significant. It can take days or sometimes even weeks—depending on the severity of the problem, the availability of developers and security staff, and other concurrent projects/problems/organizational change processes.
But this is precisely where Contrast customers have an advantage over organizations using WAF-only defenses. With CVE-2022-26134 (just like the previous CVE-2021-26084), Contrast Protect’s OGNL protection rule automatically spotted and blocked these attacks—right out of the box.
Contrast Protect blocks CVE-2022-26134 attacks (Contrast dashboard)
Unlike a WAF that benefits from known CVE signature detection at the application perimeter, Contrast instrumentation works inside the application. This internal visibility allows Protect to observe what’s happening in the application runtime and prevent exploitation in real time, as the attack takes place. In the event an attacker targets an unknown or newly disclosed vulnerability and bypasses a WAF, Contrast provides aircover to automatically block attacks.
Learn more about Contrast Protect.