Forum Discussion

Daniel_Wolf's avatar
Jun 04, 2022

iRule to mitigate CVE-2022-26134 (Confluence)

On June 2, 2022, Atlassian published a security advisory for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence. There is a patch available from Atlassian or the recommendation to disconnect vulnerable system from the internet. As far as I can see till now, there is no Threat Campaigns Signature or Attack Signature to mitigate this attack. 

A bit of analysis: Parts of the POC code and example curl command snippets looks like the following examples (after URL-decoding).

In POC code and example curl command snippets attackers are creating and using an HTTP Header to return the respone.

Example response header for whoami command:

X-Cmd-Response: confluence

Looking at another part of the POC code and example curl command snippets, this is achieved by using setHeader.

@getResponse().setHeader("X-Cmd-Response"

A full curl example would look like this (note: special characters are URL encoded):

This linked iRule should help to fend off the first wave of script kiddies.

 

PS. I seems that part of the POC code and parts of my iRule are offending the devcentral platform. Therefore I put screenshots and Github links rather than inline code.