Confluence vulnerability in Server and Data Center – CVE-2022-26134 – Critical severity unauthenticated remote code execution vulnerability
CVE-2022-26134 – Critical severity unauthenticated remote code execution vulnerability in Confluence Server and Data Center
|Advisory Release Date||1 PM PDT (Pacific Time, -7 hours)|
|Affected Versions||At the present time Atlassian has confirmed that all supported versions of Confluence Server and Data Center are affected.|
Summary of Vulnerability
Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. Further details about the vulnerability are being withheld until a fix is available.
They expect that security fixes for supported versions of Confluence will begin to be available for customer download within 24 hours (estimated time, by EOD June 3 PDT).
Atlassian Cloud sites are protected
If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable. Our investigations have not found any evidence of exploitation of Atlassian Cloud.
Atlassian has taken the following steps to address this issue:
- Released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue.
What You Need to Do
Atlassian recommends that you upgrade to the latest Long Term Support release. For a full description of the latest version, see the Confluence Server and Data Center Release Notes. You can download the latest version from the download centre.
If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the CVE-2022-26134 issue by updating files for the specific version of the product.
Need Help With This?
Give us a call, or submit a help request here. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.