Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,551,987
Community Members
 
Community Events
184
Community Groups

CVE-2022-26134 - Critical severity unauthenticated remote code execution vulnerability

Hi there,

I would like to know if there are any other mitigations to prevent exploitation if we cannot disable our instances? 

Thank you,

Oliver

14 comments

This is a pretty serious vulnerability with no advanced warning, mitigation, or fix version. Some additional guidance or details on the exploit would be helpful.

Like # people like this

FYI, we've moved Confluence behind our VPN as a temp workaround. This may or may not be an option for you. 

Like # people like this

@Robert Tang that's the best course of action. We are an Atlassian Partner and have worked with our clients to do the same over the last few hours if they have a Confluence instance exposed to the internet. The best we can do right now.

Like # people like this

Awesome! Seems this is only limited to Confluence at the moment and it stays this way. 

We're also behind a firewall, but are the 3rd party plugins installed managed by the UPM vulnerable and would that potentially cause another layer of vulnerability to examine?

Can I confirm whether JIRA is affected by this or not?

Based on the current information, it appears this is limited to on premise versions of Confluence only (server and data center).

Like # people like this
Mike Clarke
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Jun 02, 2022

Hi,

What's the best way to track progress on this vulnerability?
All I can see from Atlassian is a one-off statement that can't be Watched or commented on

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html 

Like IT Admins likes this

Apart from turning it off, move confluence to be only accessible behind VPN if that's possible.

Other compensating controls could be asking your SOC to do additional security monitoring on the confluence server to look for suspicious activities. 

If you have a WAF (e.g. CloudFlare), managed rules through heuristics might be able to detect potential attacks. Although unconfirmed. 

Last might be geo IP blocking to block access from high risk countries if possible. Although not the most effective.

Like Artyom likes this

Beyond what @Robert Tang mentions, in general, I suggest making sure you are updated to the latest available release of Confluence as well as patching your O/S. This will put you in a good position so that when the patch is released for this exploit the upgrade will be relatively painless.

To monitor the confluence security advisory page for this CVE specifically other than manually checking the page regularly, you can enable alert as per Atlassian suggestion.

If you did not receive an email for this advisory and wish to receive such emails in the future, please go to https://my.atlassian.com/email and subscribe to Alerts emails.

Like # people like this

enabling alerts is great ... but when you do that it says it might not take affect for 5 days.  

Hi Folks,

 

did you noticed that the old Partner portal is still available? 

https://partners.atlassian.com

 

I think this site should be taken offline and redirected to the new cloud site

 

Regards,

Pedro Felgueiras
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Jun 03, 2022

Does anyone have a guide on how to restrict URL with "${" on tomcat or does it needs to be restricted outside tomcat 

or how to block URL's with "${" with NGINX

Like Pedro Felgueiras likes this

For nginx, this will filter in the path component of the URL, probably put it in your server block.

location ~ "\$\{" {
deny all;
return 404;
}

This will filter in the parameters component of the URL, pay attention though, it needs to be placed inside your main / location block where you do the proxy_pass redirect.


if ( $args ~ "\$\{" ) { return 404; }
 

 

That should filter all requests, but as @agenttank mentioned below, he noticed issues with synchrony (I didn't get reports of issues yet).

Like André K_ likes this

if anyone is interested, I created a modsecurity rule for this:

SecRule REQUEST_URI|REQUEST_BODY|REQUEST_URI|ARGS "@rx \$\{" "phase:2,id:5003000,log,t:none,deny,msg:'CVE-2022-26134 mitigation'"

creates problems with synchrony though and who knows what else, so we blocked external access to confluence - maybe it would be enough to only look at REQUEST_URI?

a WAF rule only "may reduce your risk" according to atlassian.

 

Apache Code-Block for the <virtualhost> of Confluence:

<VirtualHost>
...
<Location />

Require ip 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 127.0.0.1
</Location>
...
</VirtualHost>

Like # people like this

Do we get the fix in existing LTS version ? or will expect a new minor release with fixes. 

I expect there will be a bugfix-release to address this, like a 7.18.1 would become 7.18.2 etc.

Current version version is 7.18.0 thus fixed version should be 7.18.1 which currently isn't listed but can already be downloaded: https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-7.18.1.tar.gz ;-)

Pedro Felgueiras
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Jun 03, 2022
Like # people like this

Hello,

What time is end of business day for you? I have the following message on our Confluence: Maintenance Notification: Please note due to the Confluence Server and Data Center vulnerability - CVE-2022-26134 - the server will be shut down after the end of business today. The server will be available again once patching is complete.

Thank you

Tina

Jimmy Seddon
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Jun 03, 2022

@tina-louise_allaire_canada_ca that sounds like your company admins posted that alert banner message.  You will want to reach out to them (possibly your IT team) that would not have been something that Atlassian posted.

Pedro Felgueiras
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Jun 03, 2022

On the notification page they said they expect EOD June 3 PDT

 

It’s not EBD and the time zone is PDT sou we could have to wait 15 hours 

Question:  What if Confluence is behind an SSO like Okta?  Early testing, we are finding any calls are getting a 302 redirect - so essentially being blocked by SSO auth.  

Was just about to post this. Curious if anyone has completed these steps yet. We are about to follow these steps during business hours.

Just followed the mitigation/workaround steps for the jar files and everything works fine. Just saw Atlassian published an official update that addresses this vulnerability. Going to be a fun night of patching :(

For my understanding, the vulnerability description states that this is an unauthenticated attack. What impact, if any, would disabling anonymous access to confluence have on this vulnerability? would it preclude an attacker from being able to exploit this vulnerability?

Is it safe to say that we're covered from this vulnerability as long as we're accessing Confluence via VPN?  

depends who has access to the vpn

it will just be our users.  

is there any good reason /confluence/noop.jsp should be externally accessible?

certainly not a catch-all as they could put it where they like, but attackers seem to dumping webshell there.  blocking that URL could at least stop some automated exploits.

Hi, 

If we are using SSO/SAML, are we still vulnerable to this?

Thanks,

Matthew.

Christian Reichert _resolution_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Jun 07, 2022

Hi Matthew,

yes, you are. SSO/SAML within confluence is not suitable mitigation.

You can reduce your risk when you use pre-authentication on something like a Loadbalancer/ALB - but that only means the reduction and "unauthenticated" to an "authenticated" attack.

Best solution is to follow the mitigation/fix steps in the Security advisory.

 

Cheers,
Chris

P.S. Full disclosure, I work for resolution, a marketplace vendor.

Hi Chris,

Thanks for your response. Is there a simple PoC to confirm we are vulnerable? The ones I tested (from Rapid7 blog) return a 403.

Thanks,

Matthew.

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events