Atlassian Confluence Zero Day Being Leveraged To Install Webshells And Ransomware- An Overview

Dawn Treader
June 30, 2022

Atlassian Confluence is a content collaboration and management software. In early June it was reported that the software is vulnerable to an OGNL injection attack. Attackers can leverage this vulnerability to have code executed on the server-side. The following softwares are affected:

Confluence Server

Confluence Data Center

Object Graph Navigation Library (OGNL) Injection Attack 

OGNL is an expression language that can get and set properties of Java Objects. Jakarata EE, formerly Java Platform Enterprise Edition, uses Expression Language for embedding and evaluating expressions in web pages developed using Jakarta EE. 

If the web server does not perform sanity checks on an input provided by a user, which is relayed to the OGNL library for expression evaluation, then the server will be vulnerable to OGNL injection.

Atlassian Confluence Vulnerability Triggering Mechanism

A server running a vulnerable version of confluence will have an attacker-provided expression evaluated. All an attacker has to do is submit a get request to the server IP address with the following content as part of the GET parameter.

“${(#[email protected]@toString(@java.lang.Runtime@getRuntime().exec(“{}”).getInputStream(),”utf-8″)).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(“X-Cmd-Response”,#a))}

The exec portion in the above parameter can contain any command that can be executed by the end server under the privilege of the hosting server process. A typical example seen in the wild is using powershell on a windows server running confluence to download malware and execute it. There have been reports of webshells being uploaded onto vulnerable servers

The end result of successfully exploiting this vulnerability will be the attacker executing code remotely on a vulnerable confluence product.

On Vehere’s threat severity scale which classifies threats as low, medium, high and critical, this threat severity for this is “High”. It can lead to system compromise and the installation of backdoors or malware.

Vehere Detection and Best Practice Recommendation 

Our Network Detection and Response product, PacketWorker, has the rule identified as “CVE-2022-26134 Confluence OGNL Remote Code execution Vulnerability” developed by our security research lab to detect malicious HTTP requests sent to Atlassian Confluence products to trigger the vulnerability. In addition to this, as best practice, we would recommend the internet community to have their systems patched or employ the workarounds recommended by Atlassian according to the following links

References ransomware-on-vulnerable-servers/

Confluence Security Advisory 2022-06-02 | Confluence Data Center and Server 7.18 | Atlassian Documentation

Share post: