CVE-2022-26134: Atlassian Confluence SSRF & RCE
What this means
CVE-2022-26134 is a critical unauthenticated remote code execution vulnerability found in Object Graph Navigation Language (OGNL) within Confluence Server that allows an unauthenticated user to execute arbitrary code on an instance.
This can lead to severe consequences, including unauthorised access and control over the affected systems.
Why this is a problem
This vulnerability allows unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance and can lead to:
- remote code execution (RCE) – attackers can run arbitrary code on the Confluence server
- server-side request forgery (SSRF) – attackers can manipulate the server to send malicious requests, access internal services, or exploit other vulnerabilities
- data exfiltration – sensitive business or personal data can be accessed or stolen
- system takeover – attackers can create backdoors for persistent access, deploy malware, or encrypt data for ransom
- business disruption – confluence servers may be taken offline, impacting business operations.
How to check if the problem is there
An administrator should identify if the instance of confluence is affected by checking the version number.
Check the version number
All supported versions on or after 1.3.0 Confluence Server and Data Center are affected except:
7.4.17
7.13.7
7.14.3
7.15.2
7.16.4
7.17.4
7.18.1
How to fix this
Apply the Official Patch (recommended)
Atlassian has released fixes for this vulnerability.
Upgrade to the latest patched versions:
7.4.17
7.13.7
7.14.3
7.15.2
7.16.4
7.17.4
7.18.1
Make sure that your version of Confluence is always kept up to date.
Temporary workarounds if you’re unable to patch immediately
Restrict network access by:
- removing any inbound firewall or port forwarding
- configuring firewall rules to allow connections only from trusted IP addresses
- only allowing internal VPN access
Regularly monitor logs by:
- monitoring event logs
- using SIEM tools to detect anomalies