Warning – Critical Remote Code Execution Vulnerability CVE-2022-26134 (Confluence Server & Data Center) Actively Exploited
CVE-2022-26134
Sources
Atlassian - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
Volexity - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
Risks
Successful exploitation of CVE-2022-26134 can lead to unauthenticated remote code execution. It would allow a threat actor to install web shells on vulnerable Confluence servers.
Description
On the 2nd of June 2022, Atlassian released Confluence Security Advisory 2022-06-02 to disclose that a critical unauthenticated remote code execution vulnerability in Confluence Data Center and Server is under active exploitation. This vulnerability is tracked as CVE-2022-26134.
According to the security advisory, Atlassian is working on a fix and further details about the vulnerability are withheld until that fix is made available (estimated time, by EOD 3th of June PDT) .
Confluence Server and Data Center are affected,Atlassian Cloud sites (accessible via atlassian.net) are unaffected.
Update 4-06-2022
Versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 contain a fix for this issue.
Organisations that use Confluence Server and/or Data Center are urged to take the following actions until a fix is made available:
- Restricting access to Confluence Server and Data Center instances from the internet.
- Disabling Confluence Server and Data Center instances.
If it is not possible to take the above actions, implementing a WAF (Web Application Firewall) rule which blocks URLs containing ${ may reduce your organisation’s risk.
Recommended Actions
The Centre for Cyber Security Belgium recommends administrators of Confluence servers to prioritize this vulnerability and assess whether the proposed courses of action can be taken. Atlassian will update Confluence Security Advisory 2022-06-02 as fixes become available.
Update 04-06-2022
Versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 contain a fix for this issue.
References
Bleeping Computer - https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/
CISA.gov - https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data - https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog