Executive Summary
CVE-2022-26134 is a critical vulnerability identified in Atlassian Confluence Server and Data Center. This vulnerability allows for unauthenticated remote code execution (RCE) through an OGNL (Object-Graph Navigation Language) injection. The vulnerability affects multiple versions of Confluence Server and Data Center, making it a significant threat to organizations using these products. The sectors and countries targeted by APT groups exploiting this vulnerability include government, finance, healthcare, and technology sectors across the United States, Europe, and Asia.
Technical Information
CVE-2022-26134 is a critical severity vulnerability with a CVSS score of 9.8. It exists in Confluence Server and Data Center and allows an unauthenticated attacker to execute arbitrary code via an OGNL injection. The vulnerability affects versions from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1. The attack vector is network-based, with low attack complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is high.
The vulnerability is exploited by sending a crafted HTTP request to the vulnerable Confluence instance, which triggers the OGNL injection and allows the attacker to execute arbitrary commands. This can lead to the deployment of various types of malware, including cryptocurrency miners and other malicious payloads.
Exploitation in the Wild
The vulnerability has been actively exploited in the wild. Attackers have leveraged this vulnerability to deploy various types of malware, including cryptocurrency miners and other malicious payloads. The exploitation typically involves sending a crafted HTTP request to the vulnerable Confluence instance, which triggers the OGNL injection and allows the attacker to execute arbitrary commands. Indicators of Compromise (IoCs) include unusual HTTP requests to Confluence endpoints, unexpected processes running on Confluence servers, and high CPU usage indicative of cryptocurrency mining.
APT Groups using this vulnerability
While specific APT groups exploiting CVE-2022-26134 have not been publicly identified, the nature of the vulnerability makes it a valuable target for various threat actors, including state-sponsored groups and cybercriminals. The sectors and countries targeted by these APT groups include government, finance, healthcare, and technology sectors across the United States, Europe, and Asia.
Affected Product Versions
The affected versions of Confluence Server and Data Center are: - From 1.3.0 before 7.4.17 - From 7.13.0 before 7.13.7 - From 7.14.0 before 7.14.3 - From 7.15.0 before 7.15.2 - From 7.16.0 before 7.16.4 - From 7.17.0 before 7.17.4 - From 7.18.0 before 7.18.1
Workaround and Mitigation
To mitigate the risk associated with CVE-2022-26134, organizations should take the following steps. First, update Confluence to the latest security updates provided by Atlassian. The fixed versions are 7.4.17 and later, 7.13.7 and later, 7.14.3 and later, 7.15.2 and later, 7.16.4 and later, 7.17.4 and later, and 7.18.1 and later. Second, restrict access to Confluence instances to trusted networks only through network segmentation. Third, monitor for Indicators of Compromise (IoCs) by looking for unusual activity in Confluence logs and network traffic that may indicate exploitation attempts.
References
For more detailed information, please refer to the following sources: - NVD - CVE-2022-26134 (https://nvd.nist.gov/vuln/detail/CVE-2022-26134) - Atlassian Confluence Security Advisory 2022-06-02 (https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html) - Rapid7 Blog - Active Exploitation of Confluence CVE-2022-26134 (https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/) - Qualys Blog - Atlassian Confluence OGNL Injection Remote Code Execution (RCE) Vulnerability CVE-2022-26134 (https://blog.qualys.com/qualys-insights/2022/06/29/atlassian-confluence-ognl-injection-remote-code-execution-rce-vulnerability-cve-2022-26134) - Trend Micro - Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining & Other Malware (https://www.trendmicro.com/en_us/research/22/i/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.html) - Sysdig Blog - Detecting and mitigating CVE-2022-26134: Zero day at Atlassian (https://sysdig.com/blog/cve-2022-26134-atlassian-confluence/)
Rescana is here for you
At Rescana, we understand the critical importance of protecting your organization from emerging threats. Our Continuous Threat and Exposure Management (CTEM) platform helps you stay ahead of vulnerabilities like CVE-2022-26134 by providing real-time monitoring, threat intelligence, and automated remediation. If you have any questions about this report or any other issue, please contact us at ops@rescana.com. We are here to help you safeguard your digital assets and ensure your organization's security.
Comentários