Adversaries have been actively exploiting a critical Remote Code Execution vulnerability being tracked as CVE-2022-26134, impacting Atlassian Confluence Server and Data Center Products.

CRITICAL ATTACK ON ATLASSIAN CONFLUENCE

About CVE-2022-26134

The attack chain involves a command injection vulnerability to achieve unauthenticated Remote Code Execution on the server allowing the adversaries to get the BEHINDER (a JSP web shell that allows adversaries to execute commands on the compromised server remotely).

These types of vulnerabilities are dangerous, as adversaries can execute commands and gain complete control of a vulnerable system without credentials as long as web requests can be made to the Confluence Server system.

Below is the list of IP addresses that are behind the attacks on Confluence servers when the attack is initially performed.

  • 156.146.34.46
  • 156.146.34.9
  • 156.146.56.136
  • 198.147.22.148
  • 45.43.19.91
  • 66.115.182.102
  • 66.115.182.111
  • 67.149.61.16
  • 154.16.105.147
  • 64.64.228.239
  • 156.146.34.52
  • 154.146.34.145
  • 221.178.126.244
  • 59.163.248.170
  • 98.32.230.38

Versions Affected and Fixed

Affected VersionsAll supported versions of Confluence Server and Data Center are affected.
Confluence Server and Data Center versions after 7.3.0 are affected.
Fixed Versions 7.4.17
7.3.17
7.14.3
7.15.2
7.16.4
7.17.4

Tools to find CVE-2022-26134

  1. Nessus.
    • Nessus updated the Tenable plugin ID for this critical vulnerability

Exploitation

PoC credits: Jacob Baines

Mitigation

It is recommended to upgrade to the latest version. Atlassian users can download the latest version from the official page

https://www.atlassian.com/software/confluence/download-archives

If you are unable to upgrade the services then there is a temporary way to mitigate the CVE by updating files in their specific versions of the product.

For Confluence 7.15.0 – 7.18.0

If you run Confluence in a cluster, you will need to repeat this process on each node. You don’t need to shut down the whole cluster to apply this mitigation. 

  1. Shut down Confluence.
     
  2. Download the following 1 file to the Confluence server:
  3. Delete (or move the following JAR outside of the Confluence install directory):
<confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3-atlassian-8.jar

⚠️Do not leave a copy of this old JAR in the directory.


 4. Copy the downloaded xwork-1.0.3-atlassian-10.jar into

<confluence-install>/confluence/WEB-INF/lib/


5. Check the permissions and ownership on the new xwork-1.0.3-atlassian-10.jar file that matches the existing files in the same directory.
 

6. Start Confluence.

Remember, if you run Confluence in a cluster, make sure you apply the above update on all of your nodes.

For Confluence 6.0.0 – Confluence 7.14.2

If you run Confluence in a cluster, you will need to repeat this process on each node. You don’t need to shut down the whole cluster to apply this mitigation. 

  1. Shut down Confluence.
     
  2. Download the following 3 files to the Confluence server:
  3. Delete (or move the following JARs outside of the Confluence install directory):
     
4. <confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3.6.jar
<confluence-install>/confluence/WEB-INF/lib/webwork-2.1.5-atlassian-3.jar

⚠️Do not leave a copy of the old JARs in the directory.
 

  1. Copy the downloaded xwork-1.0.3-atlassian-10.jar into

<confluence-install>/confluence/WEB-INF/lib/

6. Copy the downloaded webwork-2.1.5-atlassian-4.jar into

<confluence-install>/confluence/WEB-INF/lib/

7. Check the permissions and ownership on both new files matches the existing files in the same directory.
 

8. Change to the directory <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup
 

Create a new directory called web work

Copy CachedConfigurationProvider.class into

<confluence -install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork

Ensure the permissions and ownership are correct for:

<confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork<confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork/CachedConfigurationProvider.class
 9. Start Confluence.

Remember, if you run Confluence in a cluster, make sure you apply the above update on all of your nodes.