Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,301,401
Community Members
 
Community Events
165
Community Groups

CVE-2022-26134 - Critical severity unauthenticated remote code execution vulnerability

Hi there,

I would like to know if there are any other mitigations to prevent exploitation if we cannot disable our instances? 

Thank you,

Oliver

14 comments

This is a pretty serious vulnerability with no advanced warning, mitigation, or fix version. Some additional guidance or details on the exploit would be helpful.

Like # people like this

FYI, we've moved Confluence behind our VPN as a temp workaround. This may or may not be an option for you. 

Like # people like this

@Robert Tang that's the best course of action. We are an Atlassian Partner and have worked with our clients to do the same over the last few hours if they have a Confluence instance exposed to the internet. The best we can do right now.

Like # people like this

Awesome! Seems this is only limited to Confluence at the moment and it stays this way. 

We're also behind a firewall, but are the 3rd party plugins installed managed by the UPM vulnerable and would that potentially cause another layer of vulnerability to examine?

Can I confirm whether JIRA is affected by this or not?

Based on the current information, it appears this is limited to on premise versions of Confluence only (server and data center).

Like # people like this

Hi,

What's the best way to track progress on this vulnerability?
All I can see from Atlassian is a one-off statement that can't be Watched or commented on

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html 

Like IT Admins likes this

Apart from turning it off, move confluence to be only accessible behind VPN if that's possible.

Other compensating controls could be asking your SOC to do additional security monitoring on the confluence server to look for suspicious activities. 

If you have a WAF (e.g. CloudFlare), managed rules through heuristics might be able to detect potential attacks. Although unconfirmed. 

Last might be geo IP blocking to block access from high risk countries if possible. Although not the most effective.

Like Artyom likes this

Beyond what @Robert Tang mentions, in general, I suggest making sure you are updated to the latest available release of Confluence as well as patching your O/S. This will put you in a good position so that when the patch is released for this exploit the upgrade will be relatively painless.

To monitor the confluence security advisory page for this CVE specifically other than manually checking the page regularly, you can enable alert as per Atlassian suggestion.

If you did not receive an email for this advisory and wish to receive such emails in the future, please go to https://my.atlassian.com/email and subscribe to Alerts emails.

Like # people like this

enabling alerts is great ... but when you do that it says it might not take affect for 5 days.  

Hi Folks,

 

did you noticed that the old Partner portal is still available? 

https://partners.atlassian.com

 

I think this site should be taken offline and redirected to the new cloud site

 

Regards,

Does anyone have a guide on how to restrict URL with "${" on tomcat or does it needs to be restricted outside tomcat 

or how to block URL's with "${" with NGINX

Like Pedro Felgueiras likes this

For nginx, this will filter in the path component of the URL, probably put it in your server block.

location ~ "\$\{" {
deny all;
return 404;
}

This will filter in the parameters component of the URL, pay attention though, it needs to be placed inside your main / location block where you do the proxy_pass redirect.


if ( $args ~ "\$\{" ) { return 404; }
 

 

That should filter all requests, but as @agenttank mentioned below, he noticed issues with synchrony (I didn't get reports of issues yet).

Like André K. likes this

if anyone is interested, I created a modsecurity rule for this:

SecRule REQUEST_URI|REQUEST_BODY|REQUEST_URI|ARGS "@rx \$\{" "phase:2,id:5003000,log,t:none,deny,msg:'CVE-2022-26134 mitigation'"

creates problems with synchrony though and who knows what else, so we blocked external access to confluence - maybe it would be enough to only look at REQUEST_URI?

a WAF rule only "may reduce your risk" according to atlassian.

 

Apache Code-Block for the <virtualhost> of Confluence:

<VirtualHost>
...
<Location />

Require ip 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 127.0.0.1
</Location>
...
</VirtualHost>

Like # people like this

Do we get the fix in existing LTS version ? or will expect a new minor release with fixes. 

I expect there will be a bugfix-release to address this, like a 7.18.1 would become 7.18.2 etc.

Current version version is 7.18.0 thus fixed version should be 7.18.1 which currently isn't listed but can already be downloaded: https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-7.18.1.tar.gz ;-)

Like # people like this

Hello,

What time is end of business day for you? I have the following message on our Confluence: Maintenance Notification: Please note due to the Confluence Server and Data Center vulnerability - CVE-2022-26134 - the server will be shut down after the end of business today. The server will be available again once patching is complete.

Thank you

Tina

Jimmy Seddon Community Leader Jun 03, 2022

@tina-louise_allaire_canada_ca that sounds like your company admins posted that alert banner message.  You will want to reach out to them (possibly your IT team) that would not have been something that Atlassian posted.

On the notification page they said they expect EOD June 3 PDT

 

It’s not EBD and the time zone is PDT sou we could have to wait 15 hours 

Question:  What if Confluence is behind an SSO like Okta?  Early testing, we are finding any calls are getting a 302 redirect - so essentially being blocked by SSO auth.  

Was just about to post this. Curious if anyone has completed these steps yet. We are about to follow these steps during business hours.

Just followed the mitigation/workaround steps for the jar files and everything works fine. Just saw Atlassian published an official update that addresses this vulnerability. Going to be a fun night of patching :(

For my understanding, the vulnerability description states that this is an unauthenticated attack. What impact, if any, would disabling anonymous access to confluence have on this vulnerability? would it preclude an attacker from being able to exploit this vulnerability?

Is it safe to say that we're covered from this vulnerability as long as we're accessing Confluence via VPN?  

depends who has access to the vpn

it will just be our users.  

is there any good reason /confluence/noop.jsp should be externally accessible?

certainly not a catch-all as they could put it where they like, but attackers seem to dumping webshell there.  blocking that URL could at least stop some automated exploits.

Hi, 

If we are using SSO/SAML, are we still vulnerable to this?

Thanks,

Matthew.

Hi Matthew,

yes, you are. SSO/SAML within confluence is not suitable mitigation.

You can reduce your risk when you use pre-authentication on something like a Loadbalancer/ALB - but that only means the reduction and "unauthenticated" to an "authenticated" attack.

Best solution is to follow the mitigation/fix steps in the Security advisory.

 

Cheers,
Chris

P.S. Full disclosure, I work for resolution, a marketplace vendor.

Hi Chris,

Thanks for your response. Is there a simple PoC to confirm we are vulnerable? The ones I tested (from Rapid7 blog) return a 403.

Thanks,

Matthew.

Comment

Log in or Sign up to comment
TAGS
Community showcase
Published in Confluence

An update on Confluence Cloud customer feedback – June 2022

Hi everyone, We’re always looking at how to improve Confluence and customer feedback plays an important role in making sure we're investing in the areas that will bring the most value to the most c...

442 views 2 14
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you