Vulnerability Management

Atlassian patches zero-day affecting Confluence Data Center and Server

Atlassian fixed vulnerabilities in several versions of its Confluence Data Center and Server. (“Atlassian Sydney Office All-Hands” by doctorDray is licensed under CC BY 2.0.)

Atlassian on Friday issued fixes for a zero-day remote code execution vulnerability in Confluence Data Center and Server. The critical vulnerability lets an unauthenticated user execute arbitrary code on a Confluence Server or Data Center instance.

In an updated blog post, Atlassian said it fixed the following versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1.

Atlassian said for customers that access Confluence via an Atlassian.net domain, it’s hosted by Atlassian and not vulnerable. The company’s investigation have not found any evidence of exploitation of Atlassian Cloud.

The critical vulnerability — CVE-2022-26134 — affected all supported versions of Confluence Server and Data Center. Confluence Server and Data Center versions after 1.3.0 are affected.

Atlassian waited less than 72 hours between when it was informed of the Confluence zero-day (May 31) and when it issued an advisory (June 2), said Chris Olson, CEO at The Media Trust. Olson said that’s a reasonable amount of time for investigation and disclosure.

“Given the severity of this exploit, it’s reasonable for customers to demand a patch as soon as possible — but as we saw in the aftermath of Log4Shell, rushed patches can often do more harm than good,” Olson said. “Vendors face serious limitations when they encounter new remote code execution exploits, which is why it’s more important than ever for organizations to actively monitor their digital ecosystems on the front and back end.”

Mike Parkin, senior technical engineer at Vulcan Cyber, pointed out that Atlassian’s Confluence Server and Confluence Data Center are widely used across multiple industries, so an unauthenticated remote code execution flaw is problematic. Parkin said that the Cybersecurity and Infrastructure Security Agency quickly added the CVE to its Known Exploited Vulnerabilities Catalog is indicative of the expected risk.

“Atlassian said they expected to release a patch the day of the announcement, which is a respectably rapid turnaround,” Parkin said. “Keeping instances isolated from the open internet can mitigate the vulnerability until patches arrive and is a best practice in any case. Fortunately, their widely used cloud platform is not known to be affected.”

Casey Bisson, head of product and developer enablement at BluBracket, said Atlassian tools are used by more than 200,000 enterprises. Bisson said Confluence wiki pages are often a “go-to” for internal documentation, so a vulnerability there could reveal operational details most companies assume are restricted to internal users only.

Bisson added that BluBracket’s recently released, free and open source scanner for secrets and PII in Confluence pages can help enterprises uncover additional risk they might face in case their wikis are compromised.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.