{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-040.pdf"
    },
    "title": "UPDATE: Critical Remote Code Execution Vulnerability in Confluence",
    "serial_number": "2022-040",
    "publish_date": "03-06-2022 07:37:00",
    "description": "On June 2, 2020, Confluence released an advisory about a critical vulnerability, identified \"CVE-2022-26134\" with a severity score of 10 out of 10, which could lead to unauthenticated Remote Code Execution if exploited.<br>There is active exploitation of this vulnerability leading to installation of webshells and crypto-miners. Moreover, a POC of the vulnerability exploitation is now publicly available.",
    "url_title": "2022-040",
    "content_markdown": "---\ntitle: 'Critical Remote Code Execution Vulnerability in Confluence'\nversion: '1.4'\nnumber: '2022-040'\noriginal_date: 'June 2, 2022'\ndate: 'June 7, 2022'\n---\n\n_History:_\n\n* _03/06/2022 --- v1.0 -- Initial publication_\n* _03/06/2022 --- v1.2 -- Update information about WAF workaround_\n* _04/06/2022 --- v1.3 -- Update information about patched versions and active exploitation_\n* _07/06/2022 --- v1.4 -- Update information about public POC and mitigation_\n\n# Summary\n\nOn June 2, 2020, Confluence released an advisory about a critical vulnerability, identified `CVE-2022-26134` with a severity score of 10 out of 10, which could lead to unauthenticated Remote Code Execution if exploited [1].\n\n**There is active exploitation of this vulnerability leading to installation of webshells and crypto-miners. Moreover, a POC of the vulnerability exploitation is now publicly available [5].**\n\n# Technical Details\n\n`CVE-2022-26134` is an Object-Graph Navigation Language (OGNL) injection vulnerability that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance [4]. Exploiting it, attackers would be able to execute remote commands on the server without being authenticated and take full control of the server, for instance by uploading webshells [2]. \n\n# Affected Products\n\nAll versions of Confluence Server and Data Center prior to the fixed versions listed below are affected by this vulnerability. Fixed versions include:\n\n- 7.4.17\n- 7.13.7\n- 7.14.3\n- 7.15.2\n- 7.16.4\n- 7.17.4\n- 7.18.1\n\nPlease note that Confluence instances hosted directly in Attlassian Cloud are not affected\n\n# Recommendations \n\nCERT-EU strongly recommends installing the latest version of Confluence servers.\n\nAs active exploitation of this vulnerability has been observed, CERT-EU strongly recommends scanning Confluence servers for IOCs published by the Volexity researchers [3] and for any other suspicious behaviour.\n\n## Mitigation\n\nWhere it is not possible to upgrade Confluence, while it is recommended, Atlassian teams provide workarounds for Confluence versions 7.15.0 until 7.18.0, and for Confluence versions 7.0.0 until Confluence 7.14.2 [1].\n\nNevertheless, the mitigation does not cover other security flaws fixed in the update.\n\n# References\n\n[1] <https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>\n\n[2] <https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>\n\n[3] <https://github.com/volexity/threat-intel/tree/main/2022/2022-06-02%20Active%20Exploitation%20Of%20Confluence%200-day/indicators>\n\n[4] <https://jira.atlassian.com/browse/CONFSERVER-79016>\n\n[5] <https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis?referrer=notificationEmail>",
    "content_html": "<p><em>History:</em></p><ul><li><em>03/06/2022 --- v1.0 -- Initial publication</em></li><li><em>03/06/2022 --- v1.2 -- Update information about WAF workaround</em></li><li><em>04/06/2022 --- v1.3 -- Update information about patched versions and active exploitation</em></li><li><em>07/06/2022 --- v1.4 -- Update information about public POC and mitigation</em></li></ul><h2 id=\"summary\">Summary</h2><p>On June 2, 2020, Confluence released an advisory about a critical vulnerability, identified <code>CVE-2022-26134</code> with a severity score of 10 out of 10, which could lead to unauthenticated Remote Code Execution if exploited [1].</p><p><strong>There is active exploitation of this vulnerability leading to installation of webshells and crypto-miners. Moreover, a POC of the vulnerability exploitation is now publicly available [5].</strong></p><h2 id=\"technical-details\">Technical Details</h2><p><code>CVE-2022-26134</code> is an Object-Graph Navigation Language (OGNL) injection vulnerability that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance [4]. Exploiting it, attackers would be able to execute remote commands on the server without being authenticated and take full control of the server, for instance by uploading webshells [2]. </p><h2 id=\"affected-products\">Affected Products</h2><p>All versions of Confluence Server and Data Center prior to the fixed versions listed below are affected by this vulnerability. Fixed versions include:</p><ul><li>7.4.17</li><li>7.13.7</li><li>7.14.3</li><li>7.15.2</li><li>7.16.4</li><li>7.17.4</li><li>7.18.1</li></ul><p>Please note that Confluence instances hosted directly in Attlassian Cloud are not affected</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends installing the latest version of Confluence servers.</p><p>As active exploitation of this vulnerability has been observed, CERT-EU strongly recommends scanning Confluence servers for IOCs published by the Volexity researchers [3] and for any other suspicious behaviour.</p><h3 id=\"mitigation\">Mitigation</h3><p>Where it is not possible to upgrade Confluence, while it is recommended, Atlassian teams provide workarounds for Confluence versions 7.15.0 until 7.18.0, and for Confluence versions 7.0.0 until Confluence 7.14.2 [1].</p><p>Nevertheless, the mitigation does not cover other security flaws fixed in the update.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html\">https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/\">https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/volexity/threat-intel/tree/main/2022/2022-06-02%20Active%20Exploitation%20Of%20Confluence%200-day/indicators\">https://github.com/volexity/threat-intel/tree/main/2022/2022-06-02%20Active%20Exploitation%20Of%20Confluence%200-day/indicators</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://jira.atlassian.com/browse/CONFSERVER-79016\">https://jira.atlassian.com/browse/CONFSERVER-79016</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis?referrer=notificationEmail\">https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis?referrer=notificationEmail</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}