Hi there,
I would like to know if there are any other mitigations to prevent exploitation if we cannot disable our instances?
Thank you,
Oliver
FYI, we've moved Confluence behind our VPN as a temp workaround. This may or may not be an option for you.
@Robert Tang that's the best course of action. We are an Atlassian Partner and have worked with our clients to do the same over the last few hours if they have a Confluence instance exposed to the internet. The best we can do right now.
Awesome! Seems this is only limited to Confluence at the moment and it stays this way.
We're also behind a firewall, but are the 3rd party plugins installed managed by the UPM vulnerable and would that potentially cause another layer of vulnerability to examine?
Based on the current information, it appears this is limited to on premise versions of Confluence only (server and data center).
Hi,
What's the best way to track progress on this vulnerability?
All I can see from Atlassian is a one-off statement that can't be Watched or commented on
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
Apart from turning it off, move confluence to be only accessible behind VPN if that's possible.
Other compensating controls could be asking your SOC to do additional security monitoring on the confluence server to look for suspicious activities.
If you have a WAF (e.g. CloudFlare), managed rules through heuristics might be able to detect potential attacks. Although unconfirmed.
Last might be geo IP blocking to block access from high risk countries if possible. Although not the most effective.
Beyond what @Robert Tang mentions, in general, I suggest making sure you are updated to the latest available release of Confluence as well as patching your O/S. This will put you in a good position so that when the patch is released for this exploit the upgrade will be relatively painless.
To monitor the confluence security advisory page for this CVE specifically other than manually checking the page regularly, you can enable alert as per Atlassian suggestion.
If you did not receive an email for this advisory and wish to receive such emails in the future, please go to https://my.atlassian.com/email and subscribe to Alerts emails.
enabling alerts is great ... but when you do that it says it might not take affect for 5 days.
Hi Folks,
did you noticed that the old Partner portal is still available?
https://partners.atlassian.com
I think this site should be taken offline and redirected to the new cloud site
Regards,
Does anyone have a guide on how to restrict URL with "${" on tomcat or does it needs to be restricted outside tomcat
For nginx, this will filter in the path component of the URL, probably put it in your server block.
location ~ "\$\{" {
deny all;
return 404;
}
This will filter in the parameters component of the URL, pay attention though, it needs to be placed inside your main / location block where you do the proxy_pass redirect.
if ( $args ~ "\$\{" ) { return 404; }
That should filter all requests, but as @agenttank mentioned below, he noticed issues with synchrony (I didn't get reports of issues yet).
if anyone is interested, I created a modsecurity rule for this:
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_URI|ARGS "@rx \$\{" "phase:2,id:5003000,log,t:none,deny,msg:'CVE-2022-26134 mitigation'"
creates problems with synchrony though and who knows what else, so we blocked external access to confluence - maybe it would be enough to only look at REQUEST_URI?
a WAF rule only "may reduce your risk" according to atlassian.
Apache Code-Block for the <virtualhost> of Confluence:
<VirtualHost>
...
<Location />
Require ip 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 127.0.0.1
</Location>
...
</VirtualHost>
Do we get the fix in existing LTS version ? or will expect a new minor release with fixes.
I expect there will be a bugfix-release to address this, like a 7.18.1 would become 7.18.2 etc.
Current version version is 7.18.0 thus fixed version should be 7.18.1 which currently isn't listed but can already be downloaded: https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-7.18.1.tar.gz ;-)
Also 7.13.7 is available to download but not listed on the site
Hello,
What time is end of business day for you? I have the following message on our Confluence: Maintenance Notification: Please note due to the Confluence Server and Data Center vulnerability - CVE-2022-26134 - the server will be shut down after the end of business today. The server will be available again once patching is complete.
Thank you
Tina
@tina-louise_allaire_canada_ca that sounds like your company admins posted that alert banner message. You will want to reach out to them (possibly your IT team) that would not have been something that Atlassian posted.
On the notification page they said they expect EOD June 3 PDT
It’s not EBD and the time zone is PDT sou we could have to wait 15 hours
Question: What if Confluence is behind an SSO like Okta? Early testing, we are finding any calls are getting a 302 redirect - so essentially being blocked by SSO auth.
Mitigations are added to https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
Was just about to post this. Curious if anyone has completed these steps yet. We are about to follow these steps during business hours.
Just followed the mitigation/workaround steps for the jar files and everything works fine. Just saw Atlassian published an official update that addresses this vulnerability. Going to be a fun night of patching :(
For my understanding, the vulnerability description states that this is an unauthenticated attack. What impact, if any, would disabling anonymous access to confluence have on this vulnerability? would it preclude an attacker from being able to exploit this vulnerability?
Is it safe to say that we're covered from this vulnerability as long as we're accessing Confluence via VPN?
is there any good reason /confluence/noop.jsp should be externally accessible?
certainly not a catch-all as they could put it where they like, but attackers seem to dumping webshell there. blocking that URL could at least stop some automated exploits.
Hi,
If we are using SSO/SAML, are we still vulnerable to this?
Thanks,
Matthew.
Hi Matthew,
yes, you are. SSO/SAML within confluence is not suitable mitigation.
You can reduce your risk when you use pre-authentication on something like a Loadbalancer/ALB - but that only means the reduction and "unauthenticated" to an "authenticated" attack.
Best solution is to follow the mitigation/fix steps in the Security advisory.
Cheers,
Chris
P.S. Full disclosure, I work for resolution, a marketplace vendor.
Hi Chris,
Thanks for your response. Is there a simple PoC to confirm we are vulnerable? The ones I tested (from Rapid7 blog) return a 403.
Thanks,
Matthew.