iRule to mitigate CVE-2022-26134 (Confluence)

Daniel_Wolf · ‎04-Jun-2022

On June 2, 2022, Atlassian published a security advisory for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence. There is a patch available from Atlassian or the recommendation to disconnect vulnerable system from the internet. As far as I can see till now, there is no Threat Campaigns Signature or Attack Signature to mitigate this attack.

A bit of analysis: Parts of the POC code and example curl command snippets looks like the following examples (after URL-decoding).

In POC code and example curl command snippets attackers are creating and using an HTTP Header to return the respone.

Example response header for whoami command:

X-Cmd-Response: confluence

Looking at another part of the POC code and example curl command snippets, this is achieved by using setHeader.

@getResponse().setHeader("X-Cmd-Response"

A full curl example would look like this (note: special characters are URL encoded):

This linked iRule should help to fend off the first wave of script kiddies.

PS. I seems that part of the POC code and parts of my iRule are offending the devcentral platform. Therefore I put screenshots and Github links rather than inline code.

Daniel_Wolf · ‎04-Jun-2022

Seems meanwhile a knowledgebase article has been published.

K01204888: Mitigate the Atlassian Confluence vulnerability with the BIG-IP system

In case you have ASM or AWAF and you have enforced the signatures mentioned in K01204888, you are protected. In case you don't have ASM or AWAF my iRule might still help.

DevCentral

iRule to mitigate CVE-2022-26134 (Confluence)

Khoros Kudos Award 2022