CVE-2022-26134 - Critical severity unauthenticated remote code execution vulnerability

Oliver Lam June 2, 2022

Hi there,

I would like to know if there are any other mitigations to prevent exploitation if we cannot disable our instances? 

Thank you,

Oliver

14 comments

David Grizzell
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 2, 2022

This is a pretty serious vulnerability with no advanced warning, mitigation, or fix version. Some additional guidance or details on the exploit would be helpful.

Like # people like this
Robert Tang June 2, 2022

FYI, we've moved Confluence behind our VPN as a temp workaround. This may or may not be an option for you. 

Like # people like this
David Grizzell
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 2, 2022

@Robert Tang that's the best course of action. We are an Atlassian Partner and have worked with our clients to do the same over the last few hours if they have a Confluence instance exposed to the internet. The best we can do right now.

Like # people like this
Robert Tang June 2, 2022

Awesome! Seems this is only limited to Confluence at the moment and it stays this way. 

SC June 3, 2022

We're also behind a firewall, but are the 3rd party plugins installed managed by the UPM vulnerable and would that potentially cause another layer of vulnerability to examine?

Like Matthias Clasen likes this
Robert Tang June 2, 2022

Can I confirm whether JIRA is affected by this or not?

David Grizzell
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 2, 2022

Based on the current information, it appears this is limited to on premise versions of Confluence only (server and data center).

Like # people like this
Mike Clarke
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 2, 2022

Hi,

What's the best way to track progress on this vulnerability?
All I can see from Atlassian is a one-off statement that can't be Watched or commented on

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html 

Like IT Admins likes this
Robert Tang June 2, 2022

Apart from turning it off, move confluence to be only accessible behind VPN if that's possible.

Other compensating controls could be asking your SOC to do additional security monitoring on the confluence server to look for suspicious activities. 

If you have a WAF (e.g. CloudFlare), managed rules through heuristics might be able to detect potential attacks. Although unconfirmed. 

Last might be geo IP blocking to block access from high risk countries if possible. Although not the most effective.

Like Artyom likes this
David Grizzell
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 2, 2022

Beyond what @Robert Tang mentions, in general, I suggest making sure you are updated to the latest available release of Confluence as well as patching your O/S. This will put you in a good position so that when the patch is released for this exploit the upgrade will be relatively painless.

Robert Tang June 2, 2022

To monitor the confluence security advisory page for this CVE specifically other than manually checking the page regularly, you can enable alert as per Atlassian suggestion.

If you did not receive an email for this advisory and wish to receive such emails in the future, please go to https://my.atlassian.com/email and subscribe to Alerts emails.

Like # people like this
cooreilly June 3, 2022

enabling alerts is great ... but when you do that it says it might not take affect for 5 days.  

Joachim Schenk June 3, 2022

Hi Folks,

 

did you noticed that the old Partner portal is still available? 

https://partners.atlassian.com

 

I think this site should be taken offline and redirected to the new cloud site

 

Regards,

Pedro Felgueiras
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 3, 2022

Does anyone have a guide on how to restrict URL with "${" on tomcat or does it needs to be restricted outside tomcat 

André K. June 3, 2022

or how to block URL's with "${" with NGINX

Like Pedro Felgueiras likes this
Mathy June 3, 2022

For nginx, this will filter in the path component of the URL, probably put it in your server block.

location ~ "\$\{" {
deny all;
return 404;
}

This will filter in the parameters component of the URL, pay attention though, it needs to be placed inside your main / location block where you do the proxy_pass redirect.


if ( $args ~ "\$\{" ) { return 404; }
 

 

That should filter all requests, but as @agenttank mentioned below, he noticed issues with synchrony (I didn't get reports of issues yet).

Like André K. likes this
agenttank June 3, 2022

if anyone is interested, I created a modsecurity rule for this:

SecRule REQUEST_URI|REQUEST_BODY|REQUEST_URI|ARGS "@rx \$\{" "phase:2,id:5003000,log,t:none,deny,msg:'CVE-2022-26134 mitigation'"

creates problems with synchrony though and who knows what else, so we blocked external access to confluence - maybe it would be enough to only look at REQUEST_URI?

a WAF rule only "may reduce your risk" according to atlassian.

 

Apache Code-Block for the <virtualhost> of Confluence:

<VirtualHost>
...
<Location />

Require ip 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 127.0.0.1
</Location>
...
</VirtualHost>

Like # people like this
Pandiyan Muthuraman June 3, 2022

Do we get the fix in existing LTS version ? or will expect a new minor release with fixes. 

IT Admins June 3, 2022

I expect there will be a bugfix-release to address this, like a 7.18.1 would become 7.18.2 etc.

Frank Hess June 3, 2022

Current version version is 7.18.0 thus fixed version should be 7.18.1 which currently isn't listed but can already be downloaded: https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-7.18.1.tar.gz ;-)

Pedro Felgueiras
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 3, 2022
Like # people like this
tina-louise_allaire_canada_ca June 3, 2022

Hello,

What time is end of business day for you? I have the following message on our Confluence: Maintenance Notification: Please note due to the Confluence Server and Data Center vulnerability - CVE-2022-26134 - the server will be shut down after the end of business today. The server will be available again once patching is complete.

Thank you

Tina

Jimmy Seddon
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 3, 2022

@tina-louise_allaire_canada_ca that sounds like your company admins posted that alert banner message.  You will want to reach out to them (possibly your IT team) that would not have been something that Atlassian posted.

Pedro Felgueiras
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 3, 2022

On the notification page they said they expect EOD June 3 PDT

 

It’s not EBD and the time zone is PDT sou we could have to wait 15 hours 

Alyson Whitaker June 3, 2022

Question:  What if Confluence is behind an SSO like Okta?  Early testing, we are finding any calls are getting a 302 redirect - so essentially being blocked by SSO auth.  

Like # people like this
Matt Baillargeon June 3, 2022

Was just about to post this. Curious if anyone has completed these steps yet. We are about to follow these steps during business hours.

Matt Baillargeon June 3, 2022

Just followed the mitigation/workaround steps for the jar files and everything works fine. Just saw Atlassian published an official update that addresses this vulnerability. Going to be a fun night of patching :(

Frank Alvarado June 3, 2022

For my understanding, the vulnerability description states that this is an unauthenticated attack. What impact, if any, would disabling anonymous access to confluence have on this vulnerability? would it preclude an attacker from being able to exploit this vulnerability?

Dylan Syme June 3, 2022

none at all.

Richard Jones June 3, 2022

Is it safe to say that we're covered from this vulnerability as long as we're accessing Confluence via VPN?  

Dylan Syme June 3, 2022

depends who has access to the vpn

Richard Jones June 3, 2022

it will just be our users.  

Dylan Syme June 3, 2022

is there any good reason /confluence/noop.jsp should be externally accessible?

certainly not a catch-all as they could put it where they like, but attackers seem to dumping webshell there.  blocking that URL could at least stop some automated exploits.

Matthew Ciantar June 7, 2022

Hi, 

If we are using SSO/SAML, are we still vulnerable to this?

Thanks,

Matthew.

Christian Reichert (resolution)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 7, 2022

Hi Matthew,

yes, you are. SSO/SAML within confluence is not suitable mitigation.

You can reduce your risk when you use pre-authentication on something like a Loadbalancer/ALB - but that only means the reduction and "unauthenticated" to an "authenticated" attack.

Best solution is to follow the mitigation/fix steps in the Security advisory.

 

Cheers,
Chris

P.S. Full disclosure, I work for resolution, a marketplace vendor.

Matthew Ciantar June 7, 2022

Hi Chris,

Thanks for your response. Is there a simple PoC to confirm we are vulnerable? The ones I tested (from Rapid7 blog) return a 403.

Thanks,

Matthew.

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events