Critical zero-day vulnerability in Atlassian Confluence Server and Confluence Datacenter

Software company Atlassian issued an advisory on 2 June concerning a previously unknown critical vulnerability (CVE-2022-26134), a so-called zero-day. The vulnerability concerns all supported versions of Atlassian Confluence Server and Confluence Datacenter. This does not concern Atlassian Cloud according to Atlassian. NCSC-NL published an advisory, rating the vulnerability as High/High. No patch is currently available. 

The vulnerability allows an unauthenticated actor to remotely execute code and access sensitive information within the scope of the system. It is likely that all versions are vulnerable, although Atlassian still needs to identify the earliest affected version. Proof-of-concept code is not publicly available. 

The vulnerability is easily exploitable according to Volexity, the security company behind the discovery. Limited exploitation has also been confirmed by Volexity.

Mitigation measures

Atlassian is working to make patches available within 24 hours for supported versions (EOD June 3 PDT). NCSC-NL advises to implement these updates immediately upon availability. In the meantime, other mitigation measures have been advised by Atlassian to limit overall risk. Atlassian advises to restrict access to Confluence Server and Data Center instances from the internet or to disable Confluence Server and Data Center instances altogether until a patch has been made available. If this is not possible, a Web Application Firewall (WAF) rule could be implemented to block URL's containing ${, which may potentially reduce risk. Network monitoring is also advisable. Volexity has shared IOC's and YARA rules.

NCSC-NL advises to follow these mitigation measures to the extent possible. Organisations will need to do their own assessment of the impact this may have on their operational processes. NCSC-NL will continue to monitor the situation and publish further relevant information on this website.