Open in app

Sign in

Write

Sign in

Atlassian Vulnerability CVE-2022–26134

Nimantha Deshappriya
3 min readJul 6, 2022

Security researchers at an organization named “Volexity” has managed to identify an unauthenticated remote code execution zero day vulnerability that is being actively exploited in the Atlassian Confluence Server and Data Center instances in the wild.

It has been further identified that Object-Graph Navigation Language (OGNL) has been the target of this attack. Security researchers have discovered that OGNL injection vulnerability allows adversaries to run arbitrary codes in Confluence Servers.

OGNL is known as an open-source Expression Language (EL) for Java objects. This is used to reference and manipulate data on the properties of Java objects.This occurs when the user input data is not properly validated and EL tries to validate the data allowing adversaries to inject the crafted EL code.

This is mainly used to bind front-end elements such as text boxes to band-end objects and widely used in Java-based web applications such as Confluence.

The following versions of Confluence are identified as vulnerable to this CVE.

1.3.0 -> 7.4.17 , 7.13.0 -> 7.13.7 , 7.14.0 -> 7.14.3 ,7.15.0 -> 7.15.2 ,7.16.0 -> 7.16.4 ,7.17.0 -> 7.17.4 ,7.18.0 -> 7.18.1

Solution

To resolve this issue, Confluence version needs to be upgraded to below versions.

7.4.17, 7.13.7 ,7.14.3 ,7.15.2 ,7.16.4 ,7.17.4 ,7.18.1

Detection

Confluence uses Apache Tomcat Server which can be utilized to view logs. The following location can be used to view the logs. /opt/atlassian/confluence/logs

Exploitation (Proof of concept)

To exploit this vulnerability in OGNL, an HTTP GET request needs to be made and place within the URI. For instance, an instruction can be made to Java runtime to execute a command such as creating a file in the directory of the server.

One thing that needs to be noticed here is that the URL need to be encoded.

To create a file in the server, the following command can be used
${@java.lang.Runtime@getRuntime().exec(“touch /tmp/file.txt”)}/

The encoded version of the above command is %24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/file%2etxt%22%29%7D/

/” trailing should be used as it is without encoding them.

Furhtermore, the following PoC exploit written in python by Samy Younsi (Mwqda) can be downloaded from Github.

The file that was created earlier using Curl command can be found inside the temp folder

Atlassian
Poc
Cybersecurity
Cve
Security

--

--

Nimantha Deshappriya

Written by Nimantha Deshappriya

55 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams