Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,293,368
Community Members
 
Community Events
165
Community Groups

CVE-2022-26134 Clarification

For my understanding, the vulnerability description states that this is an unauthenticated attack. What impact, if any, would disabling anonymous access to confluence have on this vulnerability? would it preclude an attacker from being able to exploit this vulnerability?

2 answers

1 accepted

1 vote
Answer accepted
Andy Heinzer Atlassian Team Jun 03, 2022

Hi Frank,

Yes this is an unauthenticated remote code execution vulnerability, as per the Confluence Security Advisory page for CVE-2022-26134. Confluence instance(s) are vulnerable regardless of the authentication mechanisms currently configured.

Disabling anonymous access does not provide sufficient means to mitigate this vulnerability.

If you could truly remove your site from the internet, then you might reduce the risk involved.  However at this time we have released patched versions.  We recommend upgrading to a fixed version as soon as possible.  If you are unable to upgrade immediately, then please review the current mitigations steps in the advisory itself.

Andy

Andy,

 Thanks a bunch, this is exactly what I was thinking.

Hello, what about old versions like 5.10, suddently we all have to upgrade? are you working on a patch for mayor versions like  5.x  , 6.x ?

thanks

Andy Heinzer Atlassian Team Jun 06, 2022

@fidel dali Those versions are at End Of Life (EOL).  Please see our EOL policy, it explains that we do not offer support on these EOL versions.

Based on the upgrading documentation guide, if the software maintenance period included in your license has expired, you can keep using Confluence, but you'll need to renew before you can upgrade.

If we attempt a Confluence upgrade with an expired license, we can run into the issue outlined here:

There are some options to proceed and restore Confluence functionality.

  1. Head to https://my.atlassian.com to renew your license or purchase a new license and follow the steps on this guide to fix the license and restore access to Confluence.
  2. Revert the upgrade by restoring Confluence to the previous version using the steps outlined here and apply the CVE workaround immediately to keep Confluence safe.

We strongly recommend upgrading Confluence on a separate staging environment first to validate the upgrade and ensure proper testing before upgrading production.

Thanks for the reply, I was able to update to 7.13 successfully.

Forgive the basic question, but how does an attacker use this to gain access to the entire system?  Assuming they are running on a Linux-based OS, wouldn't Confluence be running as a dedicated user, and not one with root-level privs?

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Confluence

Confluence: Where work and wellness meet

Feeling overwhelmed by the demands of work and life? With a 25% increase in the prevalence of anxiety and depression worldwide during the pandemic, for most of us, it’s a resounding yes . 🙋‍♀️ ...

733 views 5 21
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you