CVE-2022-26134: Critical OGNL Injection Vulnerability in Confluence Server and Data Center

The CVE-2022-26134 refers to a critical vulnerability found in Confluence Server and Data Center, which can allow an unauthenticated attacker to execute arbitrary codes on a Confluence instance. This post discusses the affected versions, code snippet that demonstrates the vulnerability, and detailed information on the exploit.

Exploit Details

The vulnerability stems from an OGNL (Object-Graph Navigation Language) injection vulnerability in Confluence Server and Data Center. An attacker could exploit this vulnerability by sending crafted HTTP requests to a vulnerable Confluence Server or Data Center instance. OGNL is a powerful expression language used in Java web applications and is heavily used by Apache Struts2 and other Java-based web frameworks.

Here's a code snippet example that demonstrates the vulnerability

URL: https://TARGET/confluence/pages/viewpage.action

POST-Data: queryString=ognl%3AOgnlContext.getCurrentContext%28%29.get%28++++"co"+"m.o"+"pensy"+"mphony.xwo"+"rk2.disp"+"at"+""+"cher.Http"+"S"+"er"+"v"+"le"+"rR"+"eq"+""+"uest","r"+"e"+"q"++"++"+"++"+"++"+"++"+"++"+"+++"%"+"2"+"E")

The attacker can replace TARGET with the address of the vulnerable Confluence Server or Data Center instance, and the crafted queryString parameter can be used to inject OGNL expressions that allow for arbitrary code execution.

The following sources provide additional information on this vulnerability

1. Atlassian Security Advisory: CVE-2022-26134 Advisory
2. NIST National Vulnerability Database: CVE-2022-26134

Mitigation Steps

Users of the affected Confluence Server and Data Center versions should upgrade to one of the following fixed versions as soon as possible:

7.18.1

Atlassian also provides detailed instructions on how to update Confluence to ensure that users are protected from this critical vulnerability.

Conclusion

The CVE-2022-26134 vulnerability poses a significant risk for Confluence Server and Data Center users. By exploiting this vulnerability, an attacker can execute arbitrary codes on the affected instances, potentially compromising the integrity of the system or the confidentiality of the information stored within. Organizations must take immediate action to upgrade their Confluence Server and Data Center instances to the latest, fixed versions and safeguard their information and infrastructure against possible attacks.

Timeline

Published on: 06/03/2022 22:15:00 UTC
Last modified on: 06/30/2022 06:15:00 UTC