CVE-2022-26134 - Confluence RCE

Atlassian has been made aware of the current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. **All** versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability. Atlassian has released the following versions to address this issue: **Released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1 which contain a fix for this issue.** This playbook includes the following tasks: * Collect detection rules. * Exploitation patterns & IoCs hunting using PANW Next-Generation Firewalls and 3rd party SIEM products. * Cortex Xpanse policies coverage. * Provides Atlassian workarounds and patched versions. **More information:** [Threat Brief: Atlassian Confluence Remote Code Execution Vulnerability (CVE-2022-26134) ](https://unit42.paloaltonetworks.com/cve-2022-26134-atlassian-code-execution-vulnerability/) [Confluence Security Advisory 2022-06-02](https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html) **Note:** This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

CVE-2022-26134 - Confluence RCE · 51 tasks · 7 inputs · 0 outputs

Inputs

  • SplunkEarliestTime — Splunk search earliest time.
  • SplunkLatestTime — Splunk search latest time.
  • SplunkIndex — The Splunk index field to search in. Default is "*"
  • EDLDomainBlocklist — The EDL domain blocklist name.
  • BlockIndicatorsAutomatically — Whether to block the indicators automatically or not.
  • QRadarTimeRange — The time range for QRadar query.
  • ElasticIndex — Elastic's index name in which to search.

Commands used

associateIndicatorsToIncident closeInvestigation createNewIndicator expanse-get-issues extractIndicators search splunk-search

Flowchart

true false true true false true true true true false true Start Start Collect Indicators Collect Indicators Extract Indicators Extract Indicators Extract Indicators From Data Collected - extractIndicators Extract Indicators From D... extractIndicators Tag and Link Indicators Tag and Link Indicators Link Indicators To Incident - associateIndicatorsToIncident Link Indicators To Incident associateIndicatorsToIncident Tag IP indicators - createNewIndicator Tag IP indicators createNewIndicator Tag CVE indicators - createNewIndicator Tag CVE indicators createNewIndicator Download Yara Rules - http Download Yara Rules http Download Sigma Rules - http Download Sigma Rules http Collect Detection Rules Collect Detection Rules Collect indicators from Volexity - ParseHTMLIndicators Collect indicators from V... ParseHTMLIndicators Collect indicators from PicusSecurity - ParseHTMLIndicators Collect indicators from P... ParseHTMLIndicators Tag File indicators - createNewIndicator Tag File indicators createNewIndicator SIEM Advanced Hunting SIEM Advanced Hunting Is Splunk Enabled? - IsIntegrationAvailable Is Splunk Enabled? IsIntegrationAvailable Is QRadar Enabled? Is QRadar Enabled? Splunk search for suspicious Java child process - splunk-search Splunk search for suspici... splunk-search QRadar search for suspicious Java child process - QRadarFullSearch QRadar search for suspici... QRadarFullSearch Elastic search for suspicious Java child process - search Elastic search for suspic... search Is Elastic Enabled? - IsIntegrationAvailable Is Elastic Enabled? IsIntegrationAvailable Splunk Indicator Hunting - Splunk Indicator Hunting Splunk Indicator Hunting Splunk Indicator Hunting QRadar Indicator Hunting V2 - QRadar Indicator Hunting V2 QRadar Indicator Hunting V2 QRadar Indicator Hunting V2 Threat Hunting Threat Hunting Palo Alto Networks Hunting Palo Alto Networks Hunting Palo Alto Networks - Hunting And Threat Detection - Palo Alto Networks - Hunting And Threat Detection Palo Alto Networks - Hunt... Palo Alto Networks - Hunting ... Panorama Query Logs - Panorama Query Logs Panorama Query Logs Panorama Query Logs Xpanse Xpanse Is Xpanse enabled? Is Xpanse enabled? Search for possible vulnerable servers using Xpanse - expanse-get-issues Search for possible vulne... expanse-get-issues Review possible vulnerable servers Review possible vulnerabl... Found servers using Xpanse? Found servers using Xpanse? Remediation Remediation Block Indicators - Generic v2 - Block Indicators - Generic v2 Block Indicators - Generi... Block Indicators - Generic v2 Block indicators automatically? Block indicators automati... Block indicators manually Block indicators manually PAN-OS - Block Domain - External Dynamic List - PAN-OS - Block Domain - External Dynamic List PAN-OS - Block Domain - E... PAN-OS - Block Domain - Exter... Mitigation Mitigation Install Confluence patched versions Install Confluence patche... Recommended workaround for Confluence 7.15.0-7.18.0 Recommended workaround fo... Atlassian suggested workarounds Atlassian suggested worka... Patch Vulnerability Patch Vulnerability Deploy Detection Rules Deploy Detection Rules Sigma Rules Sigma Rules Yara Rules Yara Rules Recommended workaround for Confluence 7.0.0-7.14.2 Recommended workaround fo... Analysis resolution - Should continue with the investigation? Analysis resolution - Sho... Done Done Investigate Further Investigate Further Close Investigation - closeInvestigation Close Investigation closeInvestigation Resolution Resolution