Skip to main content

CVE-2022-26134 - Critical Vulnerability in Confluence Server & Data Center

On Tuesday, May 31, 2022, Volexity responsibly disclosed a remote code execution (RCE) vulnerability to Atlassian affecting all supported versions of Confluence Server & Data Center. The Object-Graph Navigation Language (OGNL) injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.

Successful exploitation of this vulnerability allows a threat actor to establish persistence by loading a malicious file into memory effectively acting as a webshell. In at least one instance, the threat actor deployed two webshells after obtaining initial access, one of which allows arbitrary file uploads.

With technical details shared by Atlassian for CVE-2022-26134 are limited at the moment.

Confluence Server and Data Center Impacted Products

Product

Affected Versions

Fixed Versions

Confluence Server

  • All supported versions (7.4-7.18) are affected.
  • Non-supported versions > 1.3.0 are also affected.
  • 7.4.17
  • 7.13.7
  • 7.14.3
  • 7.15.2
  • 7.16.4
  • 7.17.4
  • 7.18.1

Confluence Data Center

Note: Atlassian Cloud is not affected by this vulnerability

Recommendations

Recommendation #1: Apply the Available Updates or Upgrade to a Fixed Version of Confluence

Confluence released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 on June 3, 2022. We recommend applying the latest available release relevant to your Confluence instance or upgrading to a fixed version to mitigate CVE-2022-26134.

Recommendation #2: Explore Applying Workaround from Atlassian

If you are unable to upgrade Confluence immediately, Atlassian has provided guidance on a temporary workaround. The workaround is version specific and requires downloading .jar and .class files to the Confluence server.

Review Atlassian’s guidance here to apply the workaround to your affected system(s):

Note: Arctic Wolf recommends following change management best practices for testing the workaround in a dev environment before deploying to production systems to avoid any operational impact.

References

About the Author

Sule Tatar is a Product Marketing Manager at Arctic Wolf, where she does research on security trends and brings groundbreaking cybersecurity products and services to market. She has extensive experience in the B2B cybersecurity space and holds a bachelor's degree in computer engineering and an MBA.

Profile Photo of Sule Tatar