Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-79016

Remote code execution via OGNL injection in Confluence Server & Data Center - CVE-2022-26134

    • 10
    • Critical
    • CVE-2022-26134

      In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.
       
      The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
       
      For more information, see https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

          Form Name

            [CONFSERVER-79016] Remote code execution via OGNL injection in Confluence Server & Data Center - CVE-2022-26134

            ihor.zozuliak added a comment - - edited

            Hello there
            I had tried a workaround on one of our lower environments and found some inconsistency in Confluence Usage statistics
            Before:
            Total Space: 157
            Site Spaces: 124
            Personal Spaces: 33
            Content (All Versions): 736270
            Content (Current Versions): 354470
            Local Users: 4104
            Local Groups: 85

            After:
            Total Space: 157
            Site Spaces: 124
            Personal Spaces: 33
            Content (All Versions): 736353
            Content (Current Versions): 354527
            Local Users: 1994
            Local Groups: 74

            I aware about content numbers but my team has concerns about Local Users/Groups. Could someone explain why the numbers got changed?

            Thanks in advance

            ihor.zozuliak added a comment - - edited Hello there I had tried a workaround on one of our lower environments and found some inconsistency in Confluence Usage statistics Before: Total Space: 157 Site Spaces: 124 Personal Spaces: 33 Content (All Versions): 736270 Content (Current Versions): 354470 Local Users: 4104 Local Groups: 85 After: Total Space: 157 Site Spaces: 124 Personal Spaces: 33 Content (All Versions): 736353 Content (Current Versions): 354527 Local Users: 1994 Local Groups: 74 I aware about content numbers but my team has concerns about Local Users/Groups. Could someone explain why the numbers got changed? Thanks in advance

            Hi,

            we have an old system with 3.1 internally. How do we disable that OGNL functionality?

            Heiko Nardmann added a comment - Hi, we have an old system with 3.1 internally. How do we disable that OGNL functionality?

            Is this also an issue if the service is stopped?

            Reitner Holger - U911364 added a comment - Is this also an issue if the service is stopped?

            Nagarjun added a comment -

            Hi,

            we are in 5.5.6 under EOL support, but we can't go immediate upgrade, please suggest us, I was unable to find the patch file for this version.

             

            Thanks in advance!

            Nagarjun added a comment - Hi, we are in 5.5.6 under EOL support, but we can't go immediate upgrade, please suggest us, I was unable to find the patch file for this version.   Thanks in advance!

            We are in Confluence 6.15.9 and I do not see a mitigation plan for this version in the link below, is there a mitigation plan that we can apply as a temporary fix while we work on upgrade timeline ?

            https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

            Rupa Jakkula added a comment - We are in Confluence 6.15.9 and I do not see a mitigation plan for this version in the link below, is there a mitigation plan that we can apply as a temporary fix while we work on upgrade timeline ? https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

            Additional note: One important little detail was the idea that the whole attack string might be url encoded. Paranoia-Mode: on -> what if certain parts are url-encoded multiple times? Just decode multiple times until decode doesn't  change the result. I might be overcomplicating things here.

            PS: I hope it's OK to use this ticket to share this

            Müller, Stephan added a comment - Additional note: One important little detail was the idea that the whole attack string might be url encoded. Paranoia-Mode: on -> what if certain parts are url-encoded multiple times? Just decode multiple times until decode doesn't  change the result. I might be overcomplicating things here. PS: I hope it's OK to use this ticket to share this

            Hi @Jasmine Möller,

            just wanted to chime in and thank you for the summary. That's fortunately what we do. One of the steps most important to me seems to be "you should setup confluence from scratch." under the rule, that in todays world, you need to assume that you've been attacked, as you've pointed out. Also a good time to test your recovery procedures

            Also thanks to @James Ponting for the additional links.

            Müller, Stephan added a comment - Hi @Jasmine Möller, just wanted to chime in and thank you for the summary. That's fortunately what we do. One of the steps most important to me seems to be "you should setup confluence from scratch." under the rule, that in todays world, you need to assume that you've been attacked, as you've pointed out. Also a good time to test your recovery procedures Also thanks to @James Ponting for the additional links.

            Hi All,

            Just answering a couple of questions here.

            Please note, we would recommend contacting the support team if you have additional questions and need help. You can contact the support team via https://support.atlassian.com.

            b468e9c76dba - Please open a ticket with the support team at https://support.atlassian.com. They'll be able to help you look into this.

            42d6f7a41b3c, 4f4ca2e6953c, 9391d98fa0eb - All of the versions you've listed are affected. The mitigation provided mitigates this CVE only. There are additional vulnerabilities addressed by this release that mean you should upgrade immediately, regardless of having the mitigation. The intent of the mitigation was to provide protection in the shortest of terms whilst an upgrade was immediately undertaken. To be clear: Upgrade now.

            8bc0d335ad08, 7778d392dc14 - Thanks for letting us know. We're aware of the issue and are tracking it at CONFSERVER-79041: Internal users new and existing are unable to reset or set their password via email notification. Please take a moment to review the issue over there.

            dfba70e31875 - The response by eae43f3df324 is on point. Unfortunately I can't provide comment beyond this due to the security impacting nature of this issue. That said, an avid reader may find the following interesting https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html.

            Thanks,
            James Ponting
            Engineering Manager - Confluence Data Center

            James Ponting added a comment - Hi All, Just answering a couple of questions here. Please note, we would recommend contacting the support team if you have additional questions and need help. You can contact the support team via https://support.atlassian.com . b468e9c76dba - Please open a ticket with the support team at https://support.atlassian.com . They'll be able to help you look into this. 42d6f7a41b3c , 4f4ca2e6953c , 9391d98fa0eb - All of the versions you've listed are affected. The mitigation provided mitigates this CVE only. There are additional vulnerabilities addressed by this release that mean you should upgrade immediately, regardless of having the mitigation. The intent of the mitigation was to provide protection in the shortest of terms whilst an upgrade was immediately undertaken. To be clear: Upgrade now . 8bc0d335ad08 , 7778d392dc14 - Thanks for letting us know. We're aware of the issue and are tracking it at CONFSERVER-79041: Internal users new and existing are unable to reset or set their password via email notification . Please take a moment to review the issue over there. dfba70e31875 - The response by eae43f3df324 is on point. Unfortunately I can't provide comment beyond this due to the security impacting nature of this issue. That said, an avid reader may find the following interesting https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html . Thanks, James Ponting Engineering Manager - Confluence Data Center

            We got the same error, forgot password is not working.

            Version 7.13.7

            Andrea Hockerts added a comment - We got the same error, forgot password is not working. Version 7.13.7

            Hi! 

            We upgraded to the latest LTS  (7.13.7) and forgot Password feature is not working. It gives an error with insufficient privilges. We did compare the code to previous version 7.13.2 and we do see that there has been some permissions check code added to the Forgot Password (alterpassword) method. Could you please provide a fix for the same?

            Yogomaya Maharana added a comment - Hi!  We upgraded to the latest LTS  (7.13.7) and forgot Password feature is not working. It gives an error with insufficient privilges. We did compare the code to previous version 7.13.2 and we do see that there has been some permissions check code added to the Forgot Password (alterpassword) method. Could you please provide a fix for the same?

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              56 Start watching this issue

                Created:
                Updated:
                Resolved: