Confluence is vulnerable to remote code execution. Atlassian urges users to disable the software until the patch is ready.
The vulnerability was discovered by security company Volexity. Atlassian confirmed the problem on 2 June. At the time of writing, the patch is yet to be released. The vulnerability is actively being exploited by cybercriminals. Hence, Atlassian called upon all users to disable Confluence. The organization expects to publish the patch before the end of the day (June 3).
Confluence is a collaboration tool for IT service providers. The vulnerability (CVE-2022-26134) allows attackers to execute code on Confluence servers. The web directories of some Confluence servers are public, allowing cybercriminals to insert malicious webshells.
Present since 2013
Atlassian initially believed that the vulnerability was limited to Confluence Server 7.18, the most recent version. Further investigation revealed that every version since 1.3.5 is vulnerable. 1.3.5 was launched in 2013. No one knows exactly how many times the vulnerability has been exploited since then. Researchers have evidence of some attacks, but the scale is likely much larger.
The vulnerability can only be exploited on servers with an internet connection. There are three ways to resolve the issue. You can either cut the internet connection of all Confluence servers, or switch the servers off completely. The final option is a patch, but that might take a while. As mentioned before, Atlassian expects to publish the patch before the end of the day. We’re entering the weekend, so some organizations will opt for downtime.
Atlassian is unable to catch its breath. Earlier this year, the organisation blundered during maintenance of Jira, Confluence and Opsgenie Cloud. Atlassian made a script error, which resulted in roughly 400 customers losing access to their software for weeks. The problem was solved, but Atlassian’s reputation will take longer to recover. The new vulnerability in Confluence adds fuel to the fire.