Atlassian Released Patch for Confluence Zero-day Vulnerability

Atlassian has finally released the fix for an unauthenticated remote code execution vulnerability dubbed CVE-2022-26134, which was discovered by the cyber security firm, Volexity.

The bug was first discovered on May 30 and Volexity reported the issue to the Atlassian security team on May 31. On June 2nd, Volexity publicly disclosed the bug as they noted that they found the vulnerability was exploited by the malicious attacker. 

Workarounds and Patch Released

Atlassian noted that security patches for supported versions of Confluence will begin to be available for customer download within 24 hours, but in the meantime, Atlassian has published a temporary workaround. Users can mitigate the CVE-2022-26134 vulnerability by updating the following files dependent on the Confluence version.

Mitigation For Confluence 7.15.0 - 7.18.0

If you run Confluence in a cluster, you will need to repeat this process on each node. You don't need to shut down the whole cluster. 

1. Shut down Confluence.
2. Download the following 1 file to the Confluence server: xwork-1.0.3-atlassian-10.jar
3. Delete (or move the following JAR outside of the Confluence install directory):
<confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3-atlassian-8.jar
4. Copy the downloaded xwork-1.0.3-atlassian-10.jar into <confluence-install>/confluence/WEB-INF/lib/
5. check the permissions and ownership on the new xwork-1.0.3-atlassian-10.jar file that matches the existing files in the same directory.
6. Now Start Confluence.

An important point to remember, If you run Confluence in a cluster, make sure you apply the above update on all of your nodes.

Do not leave a copy of the old JARs in the directory.

Mitigation For Confluence 7.0.0 - Confluence 7.14.2

If you run Confluence in a cluster, you will need to repeat this process on each node. You don't need to shut down the whole cluster. 

1. Shut down Confluence.
2. Download the following 3 files to the Confluence server:
• xwork-1.0.3-atlassian-10.jar
• webwork-2.1.5-atlassian-4.jar
• CachedConfigurationProvider.class
3. Delete (or move the following JARs outside of the Confluence install directory):
<confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3.6.jar
<confluence-install>/confluence/WEB-INF/lib/webwork-2.1.5-atlassian-3.jar
4. Copy the downloaded xwork-1.0.3-atlassian-10.jar into <confluence-install>/confluence/WEB-INF/lib/
5. Copy the downloaded webwork-2.1.5-atlassian-4.jar into <confluence-install>/confluence/WEB-INF/lib/
6. Check the permissions and ownership on both new files matches the existing files in the same directory.
7. Change to directory <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup
• Create a new directory called webwork
• Copy CachedConfigurationProvider.class into <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork
• Ensure the permissions and ownership are correct for:
• <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork
• <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork/CachedCon
8. Start Confluence.

Confluence End of Life versions are not fully tested with the workaround, while it may be possible to make use of the replacement jars in versions older than 7.0.0 doing so is untested and may cause issues.

Initially,  Atlassian confirmed that all Confluence Server and Data Center supported versions are affected. Furthermore, Atlassian advises that until a fix is available, customers not expose Confluence directly to the internet or disable it entirely.

CVE-2022-26134 was an  OGNL injection vulnerability

The researcher from the Rapid7 team analyzes the patch and found that it's an OGNL injection vulnerability affecting Atlassian Confluence Server and Data Center versions <= 7.13.6 LTS and <= 7.18.0 "Latest". the vulnerability is already been exploited in the wild. 

Rapid7 team has nicely described the CVE-2022-26134 zero-day, and the team had also disclosed the exploit code for the vulnerability. According to the Rapid7 team, the root cause of the bug was the OGNL injection starting from HttpServlet.service to OgnlValueStack.findValue and beyond. The vulnerability was very similar to CVE-2018-11176, the Apache Struts2 namespace OGNL injection vulnerability.

You can read the Rapid7 blog for the root cause and technical details of the bug. Also an POC exploit code is also available on GitHub.