Confluence Zero-Day Vulnerability Explained (CVE-2022-26134)

A new zero-day vulnerability is here. Read the latest blog to see if you’re at risk!

Andrés Peña

June 3, 2022

What happened?

After an investigation conducted by Volexity, a cybersecurity firm, on an incident involving web servers running Atlassian Confluence Server software, it was determined that one of them was compromised by executing an exploit that resulted in a remote code execution attack. Then, following the evidence gathered during the analysis, the researchers were able to replicate the incident, identifying a zero-day vulnerability labeled as CVE-2022-26134.

In order to face this challenge, Atlassian released a security advisory today claiming that CVE-2022-26134 is a critical unauthenticated vulnerability which impacts both the Confluence Server and Data Center products.

Even if there are still no public proofs of concept available, Volexity indicated that the threat actors were able to deploy BEHINDER, a JSP (Java Server Pages)  web shell, namely, a tool to execute code remotely, inside the Confluence web servers under analysis.

What products are affected?

According to Atlassian, the affected products are:

  • Confluence Server version 7.18.0.
  • Confluence Server and Data Center >= (higher or equal than) version 7.4.0

Is there a mitigation patch or update?

As of now, the vendor has pointed out that there aren’t fixed versions of Confluence Server and Data Center available, and recommends following these steps to decrease potential risk:

  • Restricting access to Confluence Server and Data Center instances from the internet
  • Disabling Confluence Server and Data Center instances
  • Implementing a WAF (Web Application Firewall) rule which blocks URLs containing “${“ characters may reduce your risk (optional)

Think you’ve been exposed?

If you think you may be at risk of this CVE, you need to run a scan ASAP to confirm. Red Sentry’s exploit engine can perform a proof of concept to confirm your vulnerability status. Reach out today for a free CVE-2022-26134 scan.

Andrés Peña

Security engineer, developer and economist. Andres Bello Catholic University BS.