If you are an IT admin or a security professional whose organization uses Confluence, you might want to immediately check out Atlassian's security advisory here. The vendor has highlighted a critical vulnerability in its Confluence Server and Data Center products that could lead to unauthenticated remote code execution (RCE).
All supported versions of Confluence and Data Center are impacted and it's likely that unsupported versions are affected too. That said, if your Confluence is hosted on Atlassian Cloud that has to be accessed via an atlassian.net domain, you are in luck as that infrastructure is secured.
It is important to note that this has been assigned the highest possible severity level by Atlassian and IT admins and security teams have been urged to take action as soon as possible. Until a patch becomes available, the company has recommended that internet access to both products should be restricted and instances of Confluence Server and Data Center should be disabled completely as well. If this is not possible, the next-best step would be to implement a Web Application Firewall (WAF) rule that blocks URLs containing the "${" string. While this would not secure your infrastructure, it will reduce the risk of a successful exploit.
The full extent of the potential damage that can be caused by a successful exploit is currently unknown, and so is the attack process and details of the flaw itself. But this makes sense because a patch is not out yet. Disclosing this information publicly right now would further increase the danger of a widespread cyberattack.
Atlassian has said that it is working on a fix at the highest priority and expects to roll out a patch by the end of day on June 3, Pacific Time. The issue is being tracked as CVE-2022-26134.
Update: True to its word, Atlassian has now rolled out a fix in the following versions of Confluence Server:
- 7.4.17
- 7.13.7
- 7.14.3
- 7.15.2
- 7.16.4
- 7.17.4
- 7.18.1
Atlassian has also revealed some more details about the vulnerability in question, noting that:
Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.
All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability.
Affected customers have been contacted and the advisory has been updated with more details about mitigation steps and what to do next, so do check it out here.
4 Comments - Add comment