Security Advisory: CVE-2022-26134 RCE in multiple Atlassian products
On Jun 2nd Lacework Labs was made aware of CVE-2022-26134, a critical unauthenticated remote code execution vulnerability within Atlassian’s Confluence Server and Data Center products. This vulnerability was originally discovered and reported to Atlassian by Volexity, during an incident response investigation. While Atlassian reported active exploitation in the wild, there is currently no publicly available exploit.
At the time of this writing, CVE-2022-26134 does not have an official CVSS rating, but is expected to be high due to the impact of the vulnerability. What makes this particular vulnerability further concerning is the lack of patch at this time of reporting. According to to Atlassian’s security advisory:
“There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix.This advisory will be updated as additional details become available” – Atlassian
Lacework Labs is actively monitoring their sensor network for opportunistic attackers leveraging the vulnerability and integrating appropriate IoCs within the Lacework product. The image below shows the total public facing confluence servers discoverable via Shodan.
Confluence Coverage via Shodan
Known Effected Software
- All supported versions of Confluence Server
- All supported versions of Confluence Data Center
Atlassian has released a fix for this vulnerability. Please follow Atlassian’s official security advisory listed here to patch vulnerable hosts.