CVE-2022-26134
0-DAY: Unauthenticated Remote Code Execution in Atlassian Confluence (CVE-2022-26134).
Updates
Version 0.1 - 03/06/2022 11:30h Version 0.1.1 - Added more context. 03/06/2022 11:45h
Background - What is Confluence vulnerability CVE-2022-26134
Atlassian has released a security advisory to address a remote code execution vulnerability (CVE-2022-26134) affecting Confluence Server and Data Center products. An unauthenticated remote attacker could exploit this vulnerability to execute code remotely. Atlassian reports that there is known exploitation of this vulnerability.
Links
Atlassian: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Mitigation / Patch
There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix. This advisory will be updated as additional details become available. Organizations that use Atlassian Cloud (accessible via atlassian.net) are unaffected by this vulnerability.
Atlassian is telling customers to make their servers inaccessible by one of these two methods:
- Restricting Confluence Server and Data Center instances from the internet.
- Disabling Confluence Server and Data Center instances.
Detect capabilities
This vuln affects all self-hosted instances. At the moment there’s still no fix. If you use a WAF you can block URLS with ${ in them. https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
YARA (by Volexity): https://github.com/volexity/threat-intel/blob/main/2022/2022-06-02%20Active%20Exploitation%20Of%20Confluence%200-day/indicators/yara.yar
Mitigations from vendors
Cloudflare | Mitigated by WAF | https://blog.cloudflare.com/cloudflare-customers-are-protected-from-the-atlassian-confluence-cve-2022-26134/ Polaris | Mitigated by WAF | https://polarisec.substack.com/p/all-polaris-customers-are-protected?sd=fs