Atlassian: There is a critical RCE flaw in Confluence, block internet access ASAP [Update]

A stack of servers in a room with a red skull icon superimposed and Confluence logo on the bottom le

If you are an IT admin or a security professional whose organization uses Confluence, you might want to immediately check out Atlassian's security advisory here. The vendor has highlighted a critical vulnerability in its Confluence Server and Data Center products that could lead to unauthenticated remote code execution (RCE).

All supported versions of Confluence and Data Center are impacted and it's likely that unsupported versions are affected too. That said, if your Confluence is hosted on Atlassian Cloud that has to be accessed via an atlassian.net domain, you are in luck as that infrastructure is secured.

It is important to note that this has been assigned the highest possible severity level by Atlassian and IT admins and security teams have been urged to take action as soon as possible. Until a patch becomes available, the company has recommended that internet access to both products should be restricted and instances of Confluence Server and Data Center should be disabled completely as well. If this is not possible, the next-best step would be to implement a Web Application Firewall (WAF) rule that blocks URLs containing the "${" string. While this would not secure your infrastructure, it will reduce the risk of a successful exploit.

The full extent of the potential damage that can be caused by a successful exploit is currently unknown, and so is the attack process and details of the flaw itself. But this makes sense because a patch is not out yet. Disclosing this information publicly right now would further increase the danger of a widespread cyberattack.

Atlassian has said that it is working on a fix at the highest priority and expects to roll out a patch by the end of day on June 3, Pacific Time. The issue is being tracked as CVE-2022-26134.


Update: True to its word, Atlassian has now rolled out a fix in the following versions of Confluence Server:

  • 7.4.17
  • 7.13.7
  • 7.14.3
  • 7.15.2
  • 7.16.4
  • 7.17.4
  • 7.18.1

Atlassian has also revealed some more details about the vulnerability in question, noting that:

Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.

All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability.

Affected customers have been contacted and the advisory has been updated with more details about mitigation steps and what to do next, so do check it out here.

Report a problem with article
A Windows 11 logo next to a Steam logo
Next Article

Windows 11 inches closer to 20% market share on Steam

Mailbox open on a laptop with Exchange Server written on the left on a blue background 2021 is cross
Previous Article

Microsoft delays next version of Exchange Server to 2025 after missing deadline

4 Comments - Add comment

Advertisement