⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Immediately block all internet traffic to and from affected products AND apply the update per vendor instructions [https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html] OR remove the affected products by the due date on the right. Note: Once the update is successfully deployed, agencies can reassess the internet blocking rules.. Due date: 2022-06-06.

CVE-2022-26134Expression Language Injection in Atlassian Confluence Data Center

CWE-917Expression Language InjectionCWE-74Injection41 documents19 sources
Severity
9.8CRITICALNVD
EPSS
94.4%
top 0.02%
CISA KEV
KEVRansomware
Added 2022-06-02
Due 2022-06-06
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Atlassian Confluence Data CenterAtlassian Confluence Server
Timeline
KEV addedJun 2
PublishedJun 3
KEV dueJun 6
Latest updateJun 2
CISA Required Action: Immediately block all internet traffic to and from affected products AND apply the update per vendor instructions [https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html] OR remove the affected products by the due date on the right. Note: Once the update is successfully deployed, agencies can reassess the internet blocking rules.

Description

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

CVEListV5atlassian/confluence_data_centernext of 1.3.0unspecified+13
NVDatlassian/confluence_data_center1.37.4.17+6
CVEListV5atlassian/confluence_servernext of 1.3.0unspecified+13
NVDatlassian/confluence_server1.37.4.17+6

Patches

Patch: jira.atlassian.comPatch: jira.atlassian.com

🔴Vulnerability Details

4
GHSA
GHSA-653m-wpjp-54c4: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to exec2022-06-04
CVEList
CVE-2022-26134: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to exec2022-06-03
Project0
2022 0-day In-the-Wild Exploitation…so far - Project Zero2022-06-01
VulnCheck
Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability2022

💥Exploits & PoCs

2
Exploit-DB
Confluence Data Center 7.18.0 - Remote Code Execution (RCE)2022-06-10
Nuclei
Confluence - Remote Code Execution

🔍Detection Rules

6
Suricata
ET MALWARE ELF/Mirai Variant Activity (Outbound)2022-06-09
Suricata
ET MALWARE Kinsing Botnet Related Domain in DNS Lookup (dragon .lib)2022-06-09
Suricata
ET MALWARE Kinsing Botnet Related Domain in DNS Lookup (babaroga .lib)2022-06-09
Suricata
ET MALWARE Kinsing Botnet Related Domain in DNS Lookup (tempest .lib)2022-06-09
Suricata
ET MALWARE Kinsing Botnet Related Domain in DNS Lookup (blacknurse .lib)2022-06-09

📋Vendor Advisories

1
CISA
Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability2022-06-02

🕵️Threat Intelligence

24
Trendmicro
Trend is a Launch Partner for Amazon Security Lake2023-06-02
Trendmicro
Trend is a Launch Partner for Amazon Security Lake2023-06-02
Trendmicro
Trend is a Launch Partner for Amazon Security Lake2023-06-02
Trendmicro
Trend is a Launch Partner for Amazon Security Lake2023-06-02
Trendmicro
Trend is a Launch Partner for Amazon Security Lake2023-06-02

💬Community

1
Bugzilla
RCE on confluence.mozilla-community.org (CVE-2022-26134)2022-06-03
CVE-2022-26134 — Expression Language Injection | cvebase