Citrix has crafted new signatures and has updated its Citrix Web App Firewall signature file to help customers mitigate the recent OGNL injection vulnerability in multiple versions of Atlassian Confluence (CVE-2022-26134). You can download these and apply them immediately.
Object-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) for Java objects. OGNL enables the evaluation of EL expressions in Apache Struts, the commonly used development framework for Java-based web applications in enterprise environments.
There is an unauthenticated OGNL injection vulnerability in multiple versions of Atlassian Confluence. In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. Atlassian has provided a patch for vulnerable versions and a workaround for customers not able to rapidly update their affected instances. Citrix Web App Firewall customers should also consider the following recommendations to help reduce risk associated with this vulnerability.
Citrix’s research team has released updated Citrix Web App Firewall signatures designed to mitigate, in part, the CVE-2022-26134 vulnerability. If you are using any of the affected Confluence Server and Data Center versions, Citrix strongly recommends that you download the signatures version 87 and apply it to your Citrix Web App Firewall deployments as an additional layer of protection for your applications. Signatures are compatible with Citrix ADC 11.1, 12.0, 12.1, 13.0, and 13.1. Please note, versions 11.1 and 12.0 are at end of life. Learn more about the release lifecycle.
| Signature rule | CVE ID | Description |
| 998966 | CVE-2022-26134 | WEB-MISC Atlassian Confluence Multiple Versions – Unauthenticated OGNL Injection Vulnerability (CVE-2022-26134) |
If you are already using Citrix Web App Firewall with signatures with the auto-update feature enabled, follow these steps after verifying that the signature version is at least version 87.
- Search your signatures for CVE-2022-26134 LogString.
- Select the results with ID 998966.
- Choose “Enable Rules” and click OK.
Citrix recommends that Citrix Web App Firewall customers use the latest signature version, enable signatures auto-update, and subscribe to receive signature alert notifications. Citrix will continue to monitor this dynamic situation and provide updates as new mitigations become available.
If app availability is inadvertently affected due to false positives resulting from the above mitigation policies, Citrix recommends the following modifications to the policy. Please note that any endpoint covered by the exception_list may expose those assets to risks from CVE-2022-26134.
Modifications to WAF Policy
add policy patset exception_list
# (Example: bind policy patset exception_list “/exception_url”)
Prepend the existing WAF policy with HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT
# (Example : set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^
Additional Information
Citrix Web App Firewall has a single code base across physical, virtual, bare-metal, and containers. This signature update applies to all form factors and deployment models of Citrix Web App Firewall.
Learn more about Citrix Web App Firewall, check out our alert articles and bot signature articles to learn more about Citrix Web App Firewall signatures, and find out how you can receive signature alert notifications.
Patches and Mitigations
Citrix strongly recommends that customers apply patches (from Atlassian and/or other vendors) as soon as they are made available. Until a patch is made available, you may reduce the risk of a successful attack by applying mitigations. Mitigations should not be considered full solutions as they do not fully address the underlying issue(s).
