Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

iRule to mitigate CVE-2022-26134 (Confluence)

Daniel_Wolf
Nacreous
Nacreous

On June 2, 2022, Atlassian published a security advisory for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence. There is a patch available from Atlassian or the recommendation to disconnect vulnerable system from the internet. As far as I can see till now, there is no Threat Campaigns Signature or Attack Signature to mitigate this attack. 

A bit of analysis: Parts of the POC code and example curl command snippets looks like the following examples (after URL-decoding).

CVE-2022-26134_1.png

In POC code and example curl command snippets attackers are creating and using an HTTP Header to return the respone.

Example response header for whoami command:

X-Cmd-Response: confluence

Looking at another part of the POC code and example curl command snippets, this is achieved by using setHeader.

@getResponse().setHeader("X-Cmd-Response"

A full curl example would look like this (note: special characters are URL encoded):

CVE-2022-26134_2.png

This linked iRule should help to fend off the first wave of script kiddies.

 

PS. I seems that part of the POC code and parts of my iRule are offending the devcentral platform. Therefore I put screenshots and Github links rather than inline code.

1 REPLY 1

Daniel_Wolf
Nacreous
Nacreous

Seems meanwhile a knowledgebase article has been published. 

K01204888: Mitigate the Atlassian Confluence vulnerability with the BIG-IP system

In case you have ASM or AWAF and you have enforced the signatures mentioned in K01204888, you are protected. In case you don't have ASM or AWAF my iRule might still help.