Critical Security Advisory: Confluence Vulnerability in Server and DC

Confluence vulnerability in Server and Data Center – CVE-2022-26134 – Critical severity unauthenticated remote code execution vulnerability

Summary
CVE-2022-26134 – Critical severity unauthenticated remote code execution vulnerability in Confluence Server and Data Center
Advisory Release Date  1 PM PDT (Pacific Time, -7 hours)
Affected Products
  • Confluence Server
  • Confluence Data Center
Affected Versions At the present time Atlassian has confirmed that all supported versions of Confluence Server and Data Center are affected.
Fixed Versions
  • 7.4.17
  • 7.13.7
  • 7.14.3
  • 7.15.2
  • 7.16.4
  • 7.17.4
  • 7.18.1
CVE ID(s) CVE-2022-26134

Summary of Vulnerability

Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. Further details about the vulnerability are being withheld until a fix is available.

They expect that security fixes for supported versions of Confluence will begin to be available for customer download within 24 hours (estimated time, by EOD June 3 PDT).

Atlassian Cloud sites are protected

If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable. Our investigations have not found any evidence of exploitation of Atlassian Cloud.

Fix

Atlassian has taken the following steps to address this issue:

  • Released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue.

What You Need to Do

Atlassian recommends that you upgrade to the latest Long Term Support release. For a full description of the latest version, see the Confluence Server and Data Center Release Notes. You can download the latest version from the download centre.

Mitigation

If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the CVE-2022-26134 issue by updating files for the specific version of the product.

Click here to view the temporary mitigation steps from Atlassian. 

Need Help With This?

Give us a call, or submit a help request here. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.

CONFSERVER-79000