Contents
Confluence Security Advisory - Critical severity unauthenticated remote code execution vulnerability - CVE-2022-26134
Dear customer,
on the 2nd June 2022 10 PM CEST, Atlassian issued a Security Advisory for Confluence Server & Data Center. The Cloud versions of the applications as well as other Atlassian products are not affected.
What you need to know
Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. Further details about the vulnerability are being withheld until a fix is available. There is no proof of concept for this vulerability so the attack vector is not boradly available to the piblic.
Atlassian is actively working on a patch for impacted versions and will update the advisory with estimates for completion.
Affected Versions
All versions include Confluence Server & Data Center
Confluence
At the present all supported versions
- It’s likely that all versions of Confluence Server and Data Center are affected, but Atlassian yet has to confirm the earliest affected version
Fixed Versions
Confluence
There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix.
This advisory will be updated as additional details become available.
What should I do?
You use Confluence Server or Data Center
Update
Currently there is no fixed version, as soon as Atlassian releases a new version, we will update this page.
Workaround
There are currently no fixed versions of Confluence Server and Data Center available. In the interim, customers should work with their security team to consider the best course of action. Options to consider include:
- Restricting access to Confluence Server and Data Center instances from the internet.
Disabling Confluence Server and Data Center instances.
If you are unable to take the above actions implementing a WAF (Web Application Firewall) rule which blocks URLs containing ${ may reduce your risk.
This advisory will be updated as fixes become available.
You use Jira Software, Jira Service Management or Jira Work Management Cloud
You are not affected by this Security Advisory.
No need for action.
You use Confluence Server or Data Center
Update
Currently there is no fixed version, as soon as Atlassian releases a new version, we will update this page and we will inform affected customers.
LTS Update Package Customers will get an update to the latest LTS relase free of charge.
Workaround
If you don't ask us to keep Confluence up and running, we will shut it down 3rd June 2022 2 PM CEST.
