On June 2, Atlassian released a security advisory regarding another remote code execution vulnerability (CVE-2022-26134) affecting all on-premises versions of Confluence Server and Confluence Data Center. The initial report to Atlassian came from Veloxity after discovering it during a forensic investigation. After the release of Atlassian and the discussion of active exploitation in the wild, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning for users to immediately block all traffic to affected systems.

The vulnerability could be exploited by an anonymous/unauthenticated attacker to inject malicious Object-Graph Navigation Language (OGNL) commands. This carries a very high risk exposure – as the CVE is still in a RESERVED state, there is currently no CVSS score mapped, but Contrast Labs expects it to be critical and 9.8 or higher ( like the previously discovered OGNL problem published last year CVE-2021-26084). This pre-authenticated nature of this vulnerability itself, and the fact that there are many older, unpatched, on-site versions of Confluence, makes this a very serious issue.

What does the exploit look like?

CVE-2022-26134 is an OGNL injection vulnerability that allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.

An attacker can exploit this vulnerability, easily bypassing Web Application Firewall (WAF) defenses, to gain control of an unpatched system. When this happens, an attacker gains “godlike” access to Confluence. They can access anything stored in that box, including data, tickets, attachments, and keys to things like AWS infrastructure. Lateral movement beyond the server, through the network and other applications, is even possible.

Has the Confluence vulnerability been patched?

The vulnerability was recently discovered by Veloxity over Memorial Day weekend during a forensic investigation. Me, it was immediately reported to Atlassian. In this case, Atlassian reported to the general public before a patch was released, likely due to the vulnerability’s criticality, ease of exploitation, and the fact that it was under active exploitation. Atlassian reported the issue to the public on June 2 and has regularly updated its mitigation guidance. This mitigation started with the recommendation to remove all on-premises instances from the internet or disable them. Then the mitigation was changed to replace a specific Java jar file, and finally to release fixes. The patches released are 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1.

Once attackers are notified of a CVE, it becomes a race against time to get all affected systems patched. Even then, there are still rare cases where patches can be compromised as well.

How Contrast Provided Automatic AirCover to Customers

With this particular vulnerability at Confluence, there were really two big windows of risk exposure. First, even though the vulnerability remained an unknown threat to the public and the risk of an attack was low, a hacker had obviously discovered the problem and was exploiting it. Second, after CVE was announced, but before patches could be installed, the likelihood of an attack skyrocketed, with the period between patch and exploit becoming a race against time. To make matters worse, a public exploit code was released on June 3. As this CVE is an example, the delay between detection of the vulnerability and notification and remediation can be significant. This can take days or even weeks depending on the severity of the issue, the availability of developers and security personnel, and other concurrent projects/issues/organizational change processes.

But this is precisely where Contrast customers have an advantage over organizations using only WAF defenses. With CVE-2022-26134 (just like previous CVE-2021-26084), Contrast Protect’s OGNL protection rule automatically spotted and blocked these attacks, right out of the box.

Contrast Protect blocks CVE-2022-26134 attacks (Contrast Dashboard)

Unlike a WAF which benefits from known CVE signature detection at the application perimeter, Contrast instrumentation works inside the application. This internal visibility allows Protect to observe what is happening in the execution of the application and prevent its exploitation in real time, as the attack occurs. In the event an attacker targets an unknown or recently disclosed vulnerability and bypasses a WAF, Contrast provides air cover to automatically block attacks.

Learn more about Contrast protection.

David Lindner, Chief Information Security Officer

David is an experienced application security professional with over 20 years of experience in cybersecurity. In addition to being the Chief Information Security Officer, David leads the Contrast Labs team that focuses on analyzing threat intelligence to help enterprise customers develop more proactive approaches to their security programs. application security. Throughout his career, David has worked across multiple disciplines within the security space, from application development, network architecture design and support, IT security and consulting, security training and application security. Over the past decade, David has specialized in all things mobile apps and securing them. He has worked with numerous clients across all industry sectors including finance, government, automotive, healthcare and retail. David is an active participant in many bug bounty programs.

Subscribe to the Contrast blog

By subscribing to our blog, you’ll stay up to date with all the latest appsec news and devops best practices. You’ll also hear about the latest Contrast product news and exciting application security events.

On June 2, Atlassian released a security advisory regarding another remote code execution vulnerability (CVE-2022-26134) affecting all on-premises versions of Confluence Server and Confluence Data Center. The initial report to Atlassian came from Veloxity after discovering it during a forensic investigation. After the release of Atlassian and the discussion of active exploitation in the wild, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning for users to immediately block all traffic to affected systems.

The vulnerability could be exploited by an anonymous/unauthenticated attacker to inject malicious Object-Graph Navigation Language (OGNL) commands. This carries a very high risk exposure – as the CVE is still in a RESERVED state, there is currently no CVSS score mapped, but Contrast Labs expects it to be critical and 9.8 or higher ( like the previously discovered OGNL problem published last year CVE-2021-26084). This pre-authenticated nature of this vulnerability itself, and the fact that there are many older, unpatched, on-site versions of Confluence, makes this a very serious issue.

What does the exploit look like?

CVE-2022-26134 is an OGNL injection vulnerability that allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.

An attacker can exploit this vulnerability, easily bypassing Web Application Firewall (WAF) defenses, to gain control of an unpatched system. When this happens, an attacker gains “godlike” access to Confluence. They can access anything stored in that box, including data, tickets, attachments, and keys to things like AWS infrastructure. Lateral movement beyond the server, through the network and other applications, is even possible.

Has the Confluence vulnerability been patched?

The vulnerability was recently discovered by Veloxity over Memorial Day weekend during a forensic investigation. Me, it was immediately reported to Atlassian. In this case, Atlassian reported to the general public before a patch was released, likely due to the vulnerability’s criticality, ease of exploitation, and the fact that it was under active exploitation. Atlassian reported the issue to the public on June 2 and has regularly updated its mitigation guidance. This mitigation started with the recommendation to remove all on-premises instances from the internet or disable them. Then the mitigation was changed to replace a specific Java jar file, and finally to release fixes. The patches released are 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1.

Once attackers are notified of a CVE, it becomes a race against time to get all affected systems patched. Even then, there are still rare cases where patches can be compromised as well.

How Contrast Provided Automatic AirCover to Customers

With this particular vulnerability at Confluence, there were really two big windows of risk exposure. First, even though the vulnerability remained an unknown threat to the public and the risk of an attack was low, a hacker had obviously discovered the problem and was exploiting it. Second, after CVE was announced, but before patches could be installed, the likelihood of an attack skyrocketed, with the period between patch and exploit becoming a race against time. To make matters worse, a public exploit code was released on June 3. As this CVE is an example, the delay between detection of the vulnerability and notification and remediation can be significant. This can take days or even weeks depending on the severity of the issue, the availability of developers and security personnel, and other concurrent projects/issues/organizational change processes.

But this is precisely where Contrast customers have an advantage over organizations using only WAF defenses. With CVE-2022-26134 (just like previous CVE-2021-26084), Contrast Protect’s OGNL protection rule automatically spotted and blocked these attacks, right out of the box.

Contrast Protect blocks CVE-2022-26134 attacks (Contrast Dashboard)

Unlike a WAF which benefits from known CVE signature detection at the application perimeter, Contrast instrumentation works inside the application. This internal visibility allows Protect to observe what is happening in the execution of the application and prevent its exploitation in real time, as the attack occurs. In the event an attacker targets an unknown or recently disclosed vulnerability and bypasses a WAF, Contrast provides air cover to automatically block attacks.

Learn more about Contrast protection.