Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,293,494
Community Members
 
Community Events
165
Community Groups

CVE-2022-26134

Hello

we're faced a vulnerability

after upgrade to 7.13.7 (according to documentation https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html) still asks to enter the license key, after entering license and database endpoint see

"Confluence data already exists in the selected database. You can either overwrite the existing data or go back to the database selection page:"

its meant data loss? how to fix?

 

3 answers

looks like the section What You Need to Do is not complete (https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html)

first need to check your home directory, files, etc before update or "mitigate"

Looks like you got hacked, and ransomewared. Sorry.

Best bet is to hire a security specialist at this point. Second best option is to wipe the whole system, and restore from backups.

already restored from backup

looks like it needs to be added to the "what to do" section in https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

Hi @skhristy ,

welcome to the Atlassian community!

Are u sure that you linked the new inst folder to a copy of the home folder of the previous version?

Fabio

> Are u sure that you linked the new inst folder to a copy of the home folder of the previous version?

don't understand, can you elaborate please?

on 7.13.0 (previous version) same behavior (after the vulnerability)

Because you are on a server instance, please verify that your new version is linked to the the correct DB before starting it.

Take a look to the following article https://confluence.atlassian.com/doc/configuring-a-datasource-connection-937166084.html

> Because you are on a server instance, please verify that your new version is linked to the the correct DB before starting it.

database correct, use the same parameters as before the vulnerability

’ll clarify again - we encountered a vulnerability, after which the confluence was opened on the license page (before that everything was configured correctly)

according to the documentation https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html, the solution is upgrade to version 7.13.7

after the upgrade the behavior is the same

and some more information - we use confluence in docker

this means that we can't change files in the /opt/atlassian/confluence/confluence/* directory (see Mitigation) because they in docker image

@Fabio Racobaldo _Herzum_ what to do if database configuration is correct?

CVE-2022-26134 vulnerability imply possible of data leak/loss?

My opinion is there's something missing in db configuration. Vulnerability doesn't imply data loss. I just upgraded two diefferent confluence instances without issues.

found files named as '__$$RECOVERY_README$$__.html' in home directory

with part of content like


<p>Can't you find the necessary files?<br>Is the content of your files not readable?</p>
<p>It is normal because the files' names and the data in your files have been encrypted by "Cer&#98;er&nbsp;Rans&#111;mware".</p>
<p>It means your files are NOT damaged! Your files are modified only. This modification is reversible.<br>From now it is not possible to use your files until they will be decrypted.</p>

<p>The only way to decrypt your files safely is to buy the special decryption software "Cer&#98;er&nbsp;Decryptor".</p>

<p>Any attempts to restore your files with the third-party software will be fatal for your files!</p>
<p>We have also downloaded a lot of private data from your network.<br>If you do not contact us in a 30 days, we will post information about your private data on public news webs.</p>
<hr>
<p class="w331208">You can proceed with purchasing of the decryption software at your personal page:</p>
<p><span class="info"><a id="megaurl" class="url" href="[link redacted]</a></span></p>
<p>At this page you will receive the complete instructions how to buy the decryption software for restoring all your files.</p>

 

are u sure about vulnerability doesn't imply data loss. ?

all files in home directory are prefixed with ".locked" (e.g. index.locked) which means they are encrypted

it seems that the vulnerability does imply data loss

@Fabio Racobaldo _Herzum_ if interested, can attach files from home directory

please could you share a screenshot of your home folder files?

I'm sorry but your server has been attacked by some ransomware virus (https://community.atlassian.com/t5/Confluence-questions/We-re-hit-by-Cerber-ransomware-help-needed/qaq-p/1909853

This is not a Confluence issue.

and the fact that it happened at the moment of vulnerability - just a coincidence?

it seems to me that vulnerability implies that anything can happen with confluence

I don't know if it is a coincidence or not

question was rhetorical )

at the moment of vulnerability confluence was hacked - obviously not a coincidence

any feedback about this?

maybe it's worth to adding information to https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html, vulnerability potentially lead to hacked / ransomewared and need to check confluence before trying to upgrade to versions with fix (sometimes for money, cause not everyone has a paid subscription) or reproduce steps from mitigation section (which is not entirely possible in the case of a docker image)?

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Confluence

Confluence: Where work and wellness meet

Feeling overwhelmed by the demands of work and life? With a 25% increase in the prevalence of anxiety and depression worldwide during the pandemic, for most of us, it’s a resounding yes . 🙋‍♀️ ...

743 views 5 21
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you