On August 25, 2021, Atlassian released a security advisory for CVE-2021-26084, an OGNL injection vulnerability found within a component of Confluence Server and Data Center. This critical vulnerability allows an unauthenticated attacker to execute arbitrary commands on the server. A few days later, on August 31, security researchers @iamnoob and @rootxharsh quickly developed a working proof of concept given the vulnerability details and by reverse engineering. After their research was published, several public exploits were released into the wild. Screen Shot 2021-09-09 at 8.12.50 AM.png Many criminal organizations began mass exploitation of the vulnerability and alerts were put out to remediate immediately. Screen Shot 2021-09-09 at 8.25.15 AM.png

What is OGNL?

Object-Graph Navigation Language (OGNL) is an open-source Expression Language for Java. Typically, expressions are used by developers to generate dynamic fields in an application. For example, a website’s title may want to be dynamically generated based on the current user: OGNL is powerful and expressions are not limited to basic examples like this. OGNL also allows executing any type of Java within the expression to enable developers to handle much more. The dangerous aspect of OGNL is when a user can control the variable that is used in the expression. If an attacker can control the variable, they can inject a malicious expression to be evaluated by the server. In Confluence’s case, they had several hidden parameters that the end user could control when POSTing to different endpoints.Screen Shot 2021-09-09 at 8.35.30 AM.png OGNL injection is pretty common vulnerability that developers are aware of and often to mitigate it developers will first pass all content to be evaluated through a blacklist. The blacklist used by Confluence checked if common Java classes or properties that attackers use to achieve code execution, but missed some advanced methods. Screen Shot 2021-09-13 at 8.12.34 AM.png By using a Java Array accessor, they were able to bypass Confluence’s blacklist:

queryString=aaa'+#{""["class"]}+'bbb

With the blacklist bypassed, they could now inject any Java code that the server will evaluate. The final example of the payload that could be injected is:

queryString=aaa
#{
  ""["class"].forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("/bin/bash -c ")
}

Past Mistakes

OGNL injection vulnerabilities have been in the spotlight before. In 2017, Equifax was breached using this exact same class of vulnerability with CVE-2017-5638, which affected all sites utilizing Apache Struts. In this case, if a specially crafted request was sent a server running Struts, it would cause an exception, and while handling the exception it evaluated a user-controlled input. This won’t be the last OGNL injection vulnerability found. As more and more are found, typically the blacklists developers use expand to catch the latest attacker techniques, but this is a losing strategy. The cat-and-mouse game of blacklists is reactionary. By shifting resources into developing safer evaluation methods that include whitelisted functionality, it protects the majority of applications and users.