• cybersecurity-news
• Visit Article Link

• cyberkendra
• Fri Jun 3 2022

Atlassian has finally released the fix for an unauthenticated remote code execution vulnerability dubbed, which was discovered by the cyber security firm, Volexity.

The bug was first discovered on May 30 and Volexity reported the issue to the Atlassian security team on May 31. On June 2nd, Volexity publicly disclosed the bug as they noted that they found the vulnerability was exploited by the malicious attacker.

Atlassian noted that security patches for supported versions of Confluence will begin to be available for customer download within 24 hours, but in the meantime, Atlassian has published a temporary workaround. Users can mitigate the CVE-2022-26134 vulnerability by updating the following files dependent on the Confluence version.

Mitigation For Confluence 7.15.0 - 7.18.0

If you run Confluence in a cluster, you will need to repeat this process on each node. You don't need to shut down the whole cluster.

Shut down Confluence. Download the following 1 file to the Confluence server: xwork-1.0.3-atlassian-10.jar Delete (or move the following JAR outside of the Confluence install directory):

/confluence/WEB-INF/lib/xwork-1.0.3-atlassian-8.jar

Copy the downloaded xwork-1.0.3-atlassian-10.jar into /confluence/WEB-INF/lib/

check the permissions and ownership on the new xwork-1.0.3-atlassian-10.jar file that matches the existing files in the same directory.

Now Start Confluence.

An important point to remember, If you run Confluence in a cluster, make sure you apply the above update on all of your nodes.

Do not leave a copy of the old JARs in the directory.

Mitigation For Confluence 7.0.0 - Confluence 7.14.2

If you run Confluence in a cluster, you will need to repeat this process on each node. You don't need to shut down the whole cluster.

Shut down Confluence. Download the following 3 files to the Confluence server:

Delete (or move the following JARs outside of the Confluence install directory):

/confluence/WEB-INF/lib/xwork-1.0.3.6.jar

/confluence/WEB-INF/lib/webwork-2.1.5-atlassian-3.jar

Copy the downloaded xwork-1.0.3-atlassian-10.jar into /confluence/WEB-INF/lib/

Copy the downloaded webwork-2.1.5-atlassian-4.jar into /confluence/WEB-INF/lib/

Check the permissions and ownership on both new files matches the existing files in the same directory.

Change to directory /confluence/WEB-INF/classes/com/atlassian/confluence/setup

Create a new directory called webwork

Copy CachedConfigurationProvider.class into /confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork

into Ensure the permissions and ownership are correct for:

/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork



/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork/CachedCon

Start Confluence.

Confluence End of Life versions are not fully tested with the workaround, while it may be possible to make use of the replacement jars in versions older than 7.0.0 doing so is untested and may cause issues.

Initially, Atlassian confirmed that all Confluence Server and Data Center supported versions are affected. Furthermore, Atlassian advises that until a fix is available, customers not expose Confluence directly to the internet or disable it entirely.

At the time of writing, we haven't seen any exploit or POC code but to be noted the vulnerability is already been exploited in the wild.