Tag :
Cyber Security

1. Summary

Vulnerability Name Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability (CVE-2022-26134)
Component Name Atlassian Confluence Server and Data Center
Affected Versions 1.3.0 ≤ Atlassian Confluence Server and Data Center < 7.4.17
7.13.0 ≤ Atlassian Confluence Server and Data Center < 7.13.7
7.14.0 ≤ Atlassian Confluence Server and Data Center < 7.14.3
7.15.0 ≤ Atlassian Confluence Server and Data Center < 7.15.2
7.16.0 ≤ Atlassian Confluence Server and Data Center < 7.16.4
7.17.0 ≤ Atlassian Confluence Server and Data Center < 7.17.4
7.18.0 ≤ Atlassian Confluence Server and Data Center < 7.18.1
Vulnerability Type Remote Code Execution
Severity CVSS v3 Base Score 9.8 (Critical)
Exploitability Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Impact Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High

2. About CVE-2022-26134

2.1 Introduction

Confluence is a web-based corporate collaboration software developed by Australian software company Atlassian. Confluence Server and Data Center is the on-premises version hosted on servers on the customer’s side to add high availability with load balancing across nodes in a clustered setup. 

2.2 Summary

On June 4, 2022, Sangfor FarSight Labs received a notice about a remote code execution vulnerability (CVE-2022-26134) in the Atlassian Confluence Server and Data Center, classified as critical with a CVSS Score of 9.8.

Atlassian has been made aware of current active exploitation of a critical unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center to implant malware such as ransomware.

Multiple ransomware gangs have been found actively exploiting this vulnerability as of June 12, 2022.

3. Affected Versions

1.3.0 ≤ Atlassian Confluence Server and Data Center < 7.4.17
7.13.0 ≤ Atlassian Confluence Server and Data Center < 7.13.7
7.14.0 ≤ Atlassian Confluence Server and Data Center < 7.14.3
7.15.0 ≤ Atlassian Confluence Server and Data Center < 7.15.2
7.16.0 ≤ Atlassian Confluence Server and Data Center < 7.16.4
7.17.0 ≤ Atlassian Confluence Server and Data Center < 7.17.4
7.18.0 ≤ Atlassian Confluence Server and Data Center < 7.18.1

4. Solutions

4.1 Remediation Solutions

4.1.1 Check the Component Version

The version information can be viewed at the bottom of the Atlassian homepage:

CVE-2022-26134 1

4.1.2 Atlassian Solution

Users can update to the latest version of their affected products to fix the vulnerability at: https://www.atlassian.com/software/confluence/download-archives

4.1.3 Workaround

This temporary solution does not completely fix the issue. Users can decide whether to adopt the solution based on their business needs.

For Confluence 7.15.0 - 7.18.0

If you run Confluence in a cluster, you will need to repeat this process on each node.

  1. Shut down Confluence.
  2. Download the following file to the Confluence server:
  3. Delete (or move the following JAR outside of the Confluence install directory): <confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3-atlassian-8.jar
    • Note: Do not leave a copy of this old JAR in the directory.
  4. Copy the downloaded xwork-1.0.3-atlassian-10.jar into <confluence-install>/confluence/WEB-INF/lib/
  5. Check the permissions and ownership on the new xwork-1.0.3-atlassian-10.jar file matches the existing files in the same directory.
  6. Start Confluence.

For Confluence 6.0.0 - Confluence 7.14.2

If you run Confluence in a cluster, you will need to repeat this process on each node.

  1. Shut down Confluence.
  2. Download the following three files to the Confluence server:
  3. Delete (or move the following JAR files from the Confluence install directory):
    • <confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3.6.jar
    • <confluence-install>/confluence/WEB-INF/lib/webwork-2.1.5-atlassian-3.jar
    • Note: Do not leave a copy of the old JARs in the directory.
  4. Copy the downloaded xwork-1.0.3-atlassian-10.jar into <confluence-install>/confluence/WEB-INF/lib/
  5. Copy the downloaded webwork-2.1.5-atlassian-4.jar into <confluence-install>/confluence/WEB-INF/lib/
  6. Check the permissions and ownership on both new files matches the existing files in the same directory.
  7. Change to directory <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup
    • a. Create a new directory called webwork
    • b. Copy CachedConfigurationProvider.class into <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork
    • c. Ensure the permissions and ownership are correct for:
      • <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork
      • <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork/CachedConfigurationProvider.class
  8. Start Confluence.

4.2 Sangfor Solutions

4.2.1 Active Detection

    The following Sangfor products and services actively detect assets affected by the Atlassian Confluence Server and Data Center remote code execution vulnerability (CVE-2022-26134):

4.2.2 Security Monitoring

    The following Sangfor products and services perform real-time monitoring of assets affected by the Atlassian Confluence Server and Data Center remote code execution vulnerability (CVE-2022-26134):

4.2.3 Security Protection

The following Sangfor products and services provide protection against the Atlassian Confluence Server and Data Center remote code execution vulnerability (CVE-2022-26134):

5. Timeline

On June 4, 2022, Sangfor FarSight Labs received a notice about the Atlassian Confluence Server and Data Center remote code execution vulnerability (CVE-2022-26134).

On June 4, 2022, Sangfor FarSight Labs released a vulnerability alert with remediation solutions.

6. Reference

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

https://nvd.nist.gov/vuln/detail/cve-2022-26134

7. Learn More

Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.

Listen To This Post

Search

Keyword maximum 256 character

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Name
Email Address
Business Phone Number
Tell us about your project requirements

Related Articles

CVE-2024-47575: Fortinet FortiManager Authentication Vulnerability

Date : 25 Oct 2024
Read Now

CVE-2024-38819: Path Traversal Vulnerability

Date : 19 Oct 2024
Read Now

CVE-2024-40766: SonicWALL SonicOS Access Control Flaw Vulnerability

Date : 12 Sep 2024
Read Now

See Other Product

Platform-X
Sangfor Access Secure
Sangfor SSL VPN
Best Darktrace Cyber Security Competitors and Alternatives in 2024
Sangfor Omni-Command
Replace your Enterprise NGAV with Sangfor Endpoint Secure

Meet the Author

About Sangfor

Sangfor Technologies

Sangfor Technologies is a leading vendor of Cyber Security and Cloud Computing solutions. The majority of the blogs that you are seeing here are written by professionals working at Sangfor. We have a team of content writers, product managers and marketing experts who are taking care of writing articles on various topics that are relevant to our audience. Our team ensures that the articles published are factually correct and helpful to our customers and partners to know more about the recent trends on Cyber Security and Cloud, and how it can help their organizations.

  • facebook
  • twitter
  • linkedin
  • youtube
  • instagram
See Author's Detail