Authors: Mark Ellzey, Ryan Lindner
Updates:
- 06-08-2022: Added comparison information.
On June 2nd, 2022, Atlassian announced a newly discovered vulnerability (assigned CVE-2022-26134) in the widely deployed enterprise WIKI product, Confluence. And while details are still fuzzy, we know that this is an unauthenticated exploit that results in remote code execution (RCE) that potentially affects all Confluence versions up to the known fixed versions. We also know that the bug has been reported as being exploited in the wild, so happy Friday, everyone!
In their advisory, Atlassian reported they have fixed the issue in the following versions of the software:
- 7.4.17
- 7.13.7
- 7.14.3
- 7.15.2
- 7.16.4
- 7.17.4
- 7.18.1
It has been almost a year since we reported the last major vulnerability found in Confluence. We discussed the methods we used to fingerprint and identify Confluence servers on the internet and, at the time, saw around 12,000 potentially vulnerable services. Fast-forward to the present, Censys has found around 9,325 services across 8,347 distinct hosts running some version of Atlassian Confluence.
Confluence Versions
Of those services, most Confluence versions we identified were v7.13.0 (1,137 hosts), v7.13.2 (690 hosts), and v7.13.5 (429 hosts); and if the advisory is accurate, all of these versions are susceptible to this new attack.
As with the previous Confluence vulnerability, Censys was able to identify these servers using a few data points found in the HTTP response from a running server:
- The existence of an X-Confluence-Request-Time response header.
- The value of the HTML meta tag: ajs-version-number
Users can use the following Censys search query to find and identify Confluence services:
same_service(services.http.response.body: <meta name=”ajs-version-number” AND services.http.response.headers.unknown.name: “X-Confluence-Request-Time”)
Optionally, Censys has created an interactive dashboard for analyzing Confluence services on the internet. This dashboard allows users to pivot and filter on numerous fields, including the actual running version of Confluence, Country, and Autonomous System. Currently, there are two main data points: detailed information on present-day Confluence deployments and another for historical trends. It should be noted that this data is fetched and aggregated every 24 hours.
This tool can be used to track the online efforts to patch and remediate this specific vulnerability as time goes on.
Present day details
Historical trends
Technical Details
CVE-2022-26134 is an unauthenticated, remote code execution vulnerability resulting from an Object Graph Navigational Language (OGNL) injection. OGNL injection attacks have risen in popularity after Apache Struts was affected by an RCE in 2019 (CVE-2019-0230) and Confluence in 2021 (CVE-2021-26084).
To identify whether a Confluence server is exploitable, an attacker must place a special payload in the URI of an HTTP request destined for the service. An example of one such URL-encoded OGNL payload would be as follows:
curl -v http://127.0.0.1:8081/%24%%7B&40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29%7D/
Upon successful exploitation, this will run a `whoami` command on the Confluence server with the same permissions as the user running the service (by default, this is the “confluence” user).
An attacker may further alter this payload to force the Confluence server to send command output in the HTTP response. For example, the OGNL payload could create a custom response header field and feed the command value into that response reader, allowing an attacker to easily scan for vulnerable servers by sending a payload to all Confluence servers and parsing the response for the malicious header. For more detailed information on the root cause of the OGNL vulnerability, visit Rapid7’s post on this vulnerability.
Comparison to CVE-2021-26084
Since this recent vulnerability closely echoes the same patterns of attack as an exploit from last year around the same time, it’s an excellent opportunity to take a step back and do some comparative analysis between the two.
When we initially reported on CVE-2021-26084 back in August of 2021, we noted around 13,787 unique hosts running a vulnerable version of Confluence. Just seven days after the initial advisory (August 31st, 2021), that number of vulnerable services had dropped to 12,834. Of those hosts, 727 had upgraded to a non-vulnerable version of Confluence, while 997 services were removed from the public-facing internet altogether.
Comparing the old vulnerability to this new one is a night-and-day difference! On June 2nd, 2022, there were 7,540 vulnerable hosts running Confluence, and within just four days, that number has gone down to 5,359, where 839 hosts upgraded to a non-vulnerable version, and 3,229 were taken off the public internet.
It should be noted that since we are pulling day-by-day stats, hosts that have come online or have regained connectivity during this time period running a vulnerable version of Confluence are also part of that number.
What can I do about it?
- Censys ASM customers have access to a new risk which identifies potentially vulnerable Confluence instances.
- Follow the upgrade and remediation process described on the official advisory.