-
Public Security Vulnerability
-
Resolution: Fixed
-
Low
-
7.4.0, 7.4.16, 7.13.0, 7.13.6, 7.14.0, 7.14.2, 7.15.0, 7.15.1, 7.16.0, 7.16.3, 7.17.0, 7.17.3, 7.18.0
-
None
-
10
-
Critical
-
CVE-2022-26134
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.
The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
For more information, see https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
- is duplicated by
-
CONFSERVER-79000 Unauthenticated remote code execution vulnerability via OGNL template injection - Duplicate
-
- Closed
-
- mentioned in
-
![[Atlassian Documentation] Page](/images/icons/generic_link_16.png "[Atlassian Documentation] Page")
Page
No Confluence page found with the given URL.
-
Page Failed to load
-
Page Failed to load
-
Page Loading...
-
-
-
-
-
-
-
![[Atlassian Documentation] Page](https://confluence.atlassian.com/images/icons/favicon.png "[Atlassian Documentation] Page"){kind=icon}
[CONFSERVER-79016] Remote code execution via OGNL injection in Confluence Server & Data Center - CVE-2022-26134
Hi,
we have an old system with 3.1 internally. How do we disable that OGNL functionality?
Hi,
we are in 5.5.6 under EOL support, but we can't go immediate upgrade, please suggest us, I was unable to find the patch file for this version.
Thanks in advance!
We are in Confluence 6.15.9 and I do not see a mitigation plan for this version in the link below, is there a mitigation plan that we can apply as a temporary fix while we work on upgrade timeline ?
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
Additional note: One important little detail was the idea that the whole attack string might be url encoded. Paranoia-Mode: on -> what if certain parts are url-encoded multiple times? Just decode multiple times until decode doesn't change the result. I might be overcomplicating things here.
PS: I hope it's OK to use this ticket to share this
Hi @Jasmine Möller,
just wanted to chime in and thank you for the summary. That's fortunately what we do. One of the steps most important to me seems to be "you should setup confluence from scratch." under the rule, that in todays world, you need to assume that you've been attacked, as you've pointed out. Also a good time to test your recovery procedures 
Also thanks to @James Ponting for the additional links.
Hi All,
Just answering a couple of questions here.
Please note, we would recommend contacting the support team if you have additional questions and need help. You can contact the support team via https://support.atlassian.com.
b468e9c76dba - Please open a ticket with the support team at https://support.atlassian.com. They'll be able to help you look into this.
42d6f7a41b3c, 4f4ca2e6953c, 9391d98fa0eb - All of the versions you've listed are affected. The mitigation provided mitigates this CVE only. There are additional vulnerabilities addressed by this release that mean you should upgrade immediately, regardless of having the mitigation. The intent of the mitigation was to provide protection in the shortest of terms whilst an upgrade was immediately undertaken. To be clear: Upgrade now.
8bc0d335ad08, 7778d392dc14 - Thanks for letting us know. We're aware of the issue and are tracking it at CONFSERVER-79041: Internal users new and existing are unable to reset or set their password via email notification. Please take a moment to review the issue over there.
dfba70e31875 - The response by eae43f3df324 is on point. Unfortunately I can't provide comment beyond this due to the security impacting nature of this issue. That said, an avid reader may find the following interesting https://www.splunk.com/en_us/blog/security/atlassian-confluence-vulnerability-cve-2022-26134.html.
Thanks,
James Ponting
Engineering Manager - Confluence Data Center
We got the same error, forgot password is not working.
Version 7.13.7
Hi!
We upgraded to the latest LTS (7.13.7) and forgot Password feature is not working. It gives an error with insufficient privilges. We did compare the code to previous version 7.13.2 and we do see that there has been some permissions check code added to the Forgot Password (alterpassword) method. Could you please provide a fix for the same?
@Stephan Mueller Given that this allows basically arbitrary RCE, I think it's hard to reliably check the affected systems. Our strategy was/is basically the same as yours, under the assumption that it is not possible to gain more rights than the user that is running confluence already has - this also means if you have been running confluence as root/admin (which you shouldn't do in the first place), assume you ARE screwed, since there is no reliable way to find out given that the attacker has full access, nor to partially clean the system.
It would still be nice if Atlassian could enhance the CVE with more background information.
- From my understanding, the attack vector was sending OGNL requests to the confluence instance, so it should be sufficient to scan for these resp. block them
We do run confluence behind a proxy running under a different account (good practice anyway, IMHO) so we did just check the proxy logs for OGNL requests (requests containing ${ resp. in URL-encoded form) - we implemented a poor man's WAF immediately and all those requests were blocked resp. there weren't any before this became an issue.
If you use confluence without a proxy resp. the proxy could be bypassed internally, I wouldn't trust the application container logs though - given the high number of attacks the only safe assumption is that you have been infected. - If any of those requests were successful, you can try to figure out what the payload was. However, I would assume you are already infected in some way and you should setup confluence from scratch. You also have to assume that attacker could gain access to potentially sensitive information by carefully crafting those requests (i.e. GDPR breach if you are really unlucky)
- Since none of those requests got through for us, we checked for processes running under the confluence user id (in case an independent backdoor has been planted). We also ran a standard rootkit check just to feel safer.
- Also, apparently, a long string of (successful) POST requests in the respective webserver logs would likely indicate that someone uploaded resp. tried to upload malware/install a backdoor.
I'm missing a writeup on how to detect potential breaches/attacks. Currently, we collected information from different sources to scan the logfiles, but an official statement on what to look for would be greatly appreciated.
Does this affect version 7.4.11 ? I can't determine from the documentation... please confirm yes or no.
What is about older Confluence versions? Will the mitigation work also for 6.13.23?
Will the mitigation work for v6.15.8 if I can't upgrade immediately?
Hi all,
i am facing a very rare problem since the last CVE update. i have recently followed the documentation step by step to mitigate the CVE.
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
But when I restart the service I get the following error, I have verified permissions and owners, and they are with the confluence user.
Confluence onpremise version 7.4.7
CachedConfigurationProvider.class
drwxr-xr-x 2 confluence confluence 4.0K Jun 7 17:37 webwork
/usr/local/confluence/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork# ls -lah
total 16K
drwxr-xr-x 2 confluence confluence 4.0K Jun 7 17:37 .
drwxr-xr-x 3 confluence confluence 4.0K Jun 7 17:37 ..
rw-rr- 1 confluence confluence 7.1K Jun 7 17:37 CachedConfigurationProvider.class
JARs
rw-rr- 1 confluence confluence 167K Jun 7 17:35 xwork-1.0.3-atlassian-10.jar
rw-rr- 1 confluence confluence 2 Jun 7 17:35 webwork-2.1.5-atlassian-4.jar
Thx in advance! 
Hi All,
e7f49d3e249d, 2b38919dab88 - Yes, both your listed versions are affected.
Please upgrade to one of the listed fixed versions.
Thanks,
James Ponting
Engineering Manager - Confluence Data Center
Does Confluence v.7.12.2 affected? I'm confused as this version is listed in duplicate CONFSERVER-79000 but not listed here
A fix for this issue is available in Confluence Server and Data Center 7.13.7.
Upgrade now or check out the Release Notes to see what other issues are resolved.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 10.0 => Critical severity
Exploitability Metrics
| Attack Vector | Network |
|---|---|
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
Scope Metric
| Scope | Changed |
|---|
Impact Metrics
| Confidentiality | High |
|---|---|
| Integrity | High |
| Availability | High |
Hello there
I had tried a workaround on one of our lower environments and found some inconsistency in Confluence Usage statistics
Before:
Total Space: 157
Site Spaces: 124
Personal Spaces: 33
Content (All Versions): 736270
Content (Current Versions): 354470
Local Users: 4104
Local Groups: 85
After:
Total Space: 157
Site Spaces: 124
Personal Spaces: 33
Content (All Versions): 736353
Content (Current Versions): 354527
Local Users: 1994
Local Groups: 74
I aware about content numbers but my team has concerns about Local Users/Groups. Could someone explain why the numbers got changed?
Thanks in advance