===================================================================                                 CERT-Renater

                      Note d'Information No. 2022/VULN198

_____________________________________________________________________

DATE                : 03/06/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Confluence Server,
                            Confluence Data Center.

====================================================================https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
_____________________________________________________________________


  Confluence Security Advisory 2022-06-02



Confluence Server and Data Center - CVE-2022-26134 - Critical
severity unauthenticated remote code execution vulnerability


Update: This advisory has been updated since its original
publication.

Specific updates include:

03 Jun 2022

     Clarifying the affected versions

     Adding a WAF rule to the What You Need to Do section
     Added estimated timeframe for fixes to be available

Summary
	

CVE-2022-26134 - Critical severity unauthenticated remote
code execution vulnerability in Confluence Server and Data
Center

Advisory Release Date
	

02 Jun 2022 1 PM PDT (Pacific Time, -7 hours)

Affected Products
	

     Confluence

         Confluence Server

         Confluence Data Center

Affected Versions
	

     At the present time we have confirmed that all
supported versions of Confluence Server and Data Center
are affected.
     It’s likely that all versions of Confluence Server
and Data Center are affected, but we have yet to confirm
the earliest affected version.

This advisory will be updated as additional details become
available.


Fixed Versions
	

There are currently no fixed versions of Confluence Server
and Data Center available. Atlassian is working with the
highest priority to issue a fix.

This advisory will be updated as additional details become
available.

CVE ID(s)
	
CVE-2022-26134


Summary of Vulnerability

Atlassian has been made aware of current active exploitation
of a critical severity unauthenticated remote code execution
vulnerability in Confluence Data Center and Server. Further
details about the vulnerability are being withheld until a
fix is available.

We expect that security fixes for supported versions of
Confluence will begin to be available for customer download
within 24 hours (estimated time, by EOD June 3 PDT).


Atlassian Cloud sites are protected

If your Confluence site is accessed via an atlassian.net
domain, it is hosted by Atlassian and is not vulnerable.
Our investigations have not found any evidence of exploitation
of Atlassian Cloud.


Severity

Atlassian rates the severity level of this vulnerability
as critical, according to the scale published in our
Atlassian severity levels. The scale allows us to rank the
severity as critical, high, moderate or low.

This is our assessment and you should evaluate its
applicability to your own IT environment.


What You Need to Do

There are currently no fixed versions of Confluence Server
and Data Center available. In the interim, customers should
work with their security team to consider the best course of
action. Options to consider include:

     Restricting access to Confluence Server and Data Center
instances from the internet.

     Disabling Confluence Server and Data Center instances.

If you are unable to take the above actions implementing a
WAF (Web Application Firewall) rule which blocks URLs
containing ${ may reduce your risk.

This advisory will be updated as fixes become available.


Acknowledgements

We would like to thank Volexity for identifying this
vulnerability.


Support

If you did not receive an email for this advisory and
wish to receive such emails in the future, please go to
https://my.atlassian.com/email and subscribe to Alerts emails.

If you have questions or concerns regarding this advisory,
please raise a support request at
https://support.atlassian.com/.


References

Security Bug fix Policy

As per our new policy critical security bug fixes will
be back ported in accordance with
https://www.atlassian.com/trust/security/bug-fix-policy.
We will release new maintenance releases for the versions
covered by the policy instead of binary patches.

Binary patches are no longer released.


Severity Levels for security issues

Atlassian security advisories include a severity level
and a CVE identifier. This severity level is based on
our self-calculated CVSS score for each specific
vulnerability. CVSS is an industry standard
vulnerability metric. You can also learn more about
CVSS at FIRST.org.


End of Life Policy

  Our end of life policy varies for different products.
Please refer to our EOL Policy for details.


Last modified on Jun 3, 2022

========================================================+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=======================================================