Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

CVE-2022-26134 Clarification

Frank Alvarado
Frank Alvarado June 3, 2022

For my understanding, the vulnerability description states that this is an unauthenticated attack. What impact, if any, would disabling anonymous access to confluence have on this vulnerability? would it preclude an attacker from being able to exploit this vulnerability?

Answer
Watch
Like Toño likes this
3459 views

2 answers

1 accepted

1 vote
Answer accepted
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 3, 2022

Hi Frank,

Yes this is an unauthenticated remote code execution vulnerability, as per the Confluence Security Advisory page for CVE-2022-26134. Confluence instance(s) are vulnerable regardless of the authentication mechanisms currently configured.

Disabling anonymous access does not provide sufficient means to mitigate this vulnerability.

If you could truly remove your site from the internet, then you might reduce the risk involved.  However at this time we have released patched versions.  We recommend upgrading to a fixed version as soon as possible.  If you are unable to upgrade immediately, then please review the current mitigations steps in the advisory itself.

Andy

View More Comments
Frank Alvarado
Frank Alvarado June 3, 2022

Andy,

 Thanks a bunch, this is exactly what I was thinking.

Like
fidel dali
fidel dali
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 6, 2022

Hello, what about old versions like 5.10, suddently we all have to upgrade? are you working on a patch for mayor versions like  5.x  , 6.x ?

thanks

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 6, 2022

@fidel dali Those versions are at End Of Life (EOL).  Please see our EOL policy, it explains that we do not offer support on these EOL versions.

Based on the upgrading documentation guide, if the software maintenance period included in your license has expired, you can keep using Confluence, but you'll need to renew before you can upgrade.

If we attempt a Confluence upgrade with an expired license, we can run into the issue outlined here:

There are some options to proceed and restore Confluence functionality.

  1. Head to https://my.atlassian.com to renew your license or purchase a new license and follow the steps on this guide to fix the license and restore access to Confluence.
  2. Revert the upgrade by restoring Confluence to the previous version using the steps outlined here and apply the CVE workaround immediately to keep Confluence safe.

We strongly recommend upgrading Confluence on a separate staging environment first to validate the upgrade and ensure proper testing before upgrading production.

Like
fidel dali
fidel dali
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 7, 2022

Thanks for the reply, I was able to update to 7.13 successfully.

Like
Reply
0 votes
Rob Horan
Rob Horan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 24, 2022

Forgive the basic question, but how does an attacker use this to gain access to the entire system?  Assuming they are running on a Linux-based OS, wouldn't Confluence be running as a dedicated user, and not one with root-level privs?

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events