On Tuesday, May 31, 2022, Volexity responsibly disclosed a remote code execution (RCE) vulnerability to Atlassian affecting all supported versions of Confluence Server & Data Center. The Object-Graph Navigation Language (OGNL) injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.
Successful exploitation of this vulnerability allows a threat actor to establish persistence by loading a malicious file into memory effectively acting as a webshell. In at least one instance, the threat actor deployed two webshells after obtaining initial access, one of which allows arbitrary file uploads.
With technical details shared by Atlassian for CVE-2022-26134 are limited at the moment.
Confluence Server and Data Center Impacted Products
| Product | Affected Versions | Fixed Versions |
| Confluence Server |
|
|
| Confluence Data Center |
Note: Atlassian Cloud is not affected by this vulnerability
Recommendations
Recommendation #1: Apply the Available Updates or Upgrade to a Fixed Version of Confluence
Confluence released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 on June 3, 2022. We recommend applying the latest available release relevant to your Confluence instance or upgrading to a fixed version to mitigate CVE-2022-26134.
Recommendation #2: Explore Applying Workaround from Atlassian
If you are unable to upgrade Confluence immediately, Atlassian has provided guidance on a temporary workaround. The workaround is version specific and requires downloading .jar and .class files to the Confluence server.
Review Atlassian’s guidance here to apply the workaround to your affected system(s):
Note: Arctic Wolf recommends following change management best practices for testing the workaround in a dev environment before deploying to production systems to avoid any operational impact.
