AARNet SOC Detection and Monitoring of CVE-2022-26134
At 06:00 AEST (05:30 ACST / 04:00 AWST) 2022-06-03, Atlassian released a security advisory affecting their products Confluence Server and Confluence Data Centre. Reported under CVE-2022-26134, this vulnerability allows for unauthenticated remote-code execution.
In affected versions of Confluence Server and Data Centre, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Centre instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
Exploitation of the vulnerability does appear in standard Confluence logs (/opt/atlassian/confluence/logs/conf_access_log.<yyyy-mm-dd>.log) and should appear similar the following example:
AARNet SOC Identified attempted exploits of the vulnerability to install:
Additionally, AARNet Soc noted a slight increase in vulnerability scanning equipment testing for exploitability of infrastructure from 2022-06-07 onwards. However, post-security fix, there has been a decline in exploit attempts to AARNet SOC customers.
Prior to Atlassian releasing a security patch for affected versions, the original reporters of the vulnerability withheld releasing a proof-of-concept. Once a security patch for affected versions was announced on 2022-06-05, the following day saw a drastic increase in exploitation attempts coinciding with the release of the POC. The POC, complemented by additional research and IOCs from third-party vendors, fed into security appliances for detection capabilities.
The following chart plots Palo Alto Firewall alerts for AARNet SOC relating to Threat ID 92632 (CVE-2022-26134).
AARNet SOC is continuing its investigation of this vulnerability. Attempted exploits of this vulnerability are being analysed, with indicators-of-compromise tracked via an internal critically-tagged MISP event. Any log ingested into AARNet SOC with an IOC identified belonging to a critically-tagged MISP event will be alerted against in our internal SOAR for additional investigations.
AARNet SOC will undertake a retrospective investigation of this vulnerability to determine if there is historical evidence of exploitation of any customer.
The AARNET SOC has been actively gathering and curating intelligence from within customer environments to share with our partners. This information can be found within the AHECS MISP instance.