CVE-2022-26134 – Critical Vulnerability in Confluence Server & Data Center

Share :

On Tuesday, May 31, 2022, Volexity responsibly disclosed a remote code execution (RCE) vulnerability to Atlassian affecting all supported versions of Confluence Server & Data Center. The Object-Graph Navigation Language (OGNL) injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.

Successful exploitation of this vulnerability allows a threat actor to establish persistence by loading a malicious file into memory effectively acting as a webshell. In at least one instance, the threat actor deployed two webshells after obtaining initial access, one of which allows arbitrary file uploads.

With technical details shared by Atlassian for CVE-2022-26134 are limited at the moment.

Confluence Server and Data Center Impacted Products

Product Affected Versions Fixed Versions
Confluence Server
  • All supported versions (7.4-7.18) are affected.
  • Non-supported versions > 1.3.0 are also affected.
  • 7.4.17
  • 7.13.7
  • 7.14.3
  • 7.15.2
  • 7.16.4
  • 7.17.4
  • 7.18.1
Confluence Data Center

Note: Atlassian Cloud is not affected by this vulnerability


Recommendation #1: Apply the Available Updates or Upgrade to a Fixed Version of Confluence

Confluence released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 on June 3, 2022. We recommend applying the latest available release relevant to your Confluence instance or upgrading to a fixed version to mitigate CVE-2022-26134.

Recommendation #2: Explore Applying Workaround from Atlassian

If you are unable to upgrade Confluence immediately, Atlassian has provided guidance on a temporary workaround. The workaround is version specific and requires downloading .jar and .class files to the Confluence server.

Review Atlassian’s guidance here to apply the workaround to your affected system(s):

Note: Arctic Wolf recommends following change management best practices for testing the workaround in a dev environment before deploying to production systems to avoid any operational impact.


Picture of Adrian Korn

Adrian Korn

Adrian Korn is a seasoned cyber security professional with 7+ years' experience in cyber threat intelligence, threat detection, and security operations. He currently serves as the Manager of Threat Intelligence Research at Arctic Wolf Labs. Adrian has been a guest speaker on intelligence related topics at numerous conferences around the world, including DEF CON's Recon Village, Hackfest, and the Australian OSINT Symposium.
Share :
Table of Contents
Subscribe to our Monthly Newsletter