Last week a new zero-day unauthenticated remote code execution in Atlassian Confluence (Server and Data Center) made the top news. Our agile internal vulnerability management immediately picked up vulnerability announcements from multiple channels:
- https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
- https://www.cert-bund.de/advisoryshort/CB-K22-0681
- https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
- https://nvd.nist.gov/vuln/detail/CVE-2022-26134
- https://jira.atlassian.com/browse/CONFSERVER-79016
At the time of the announcement it was pretty clear that an unauthenticated remote code execution was to be exploited in the wild rather quickly without availability of a matching security patch. At the very beginning, only little was known on how to mitigate it, which meant a high risk.
We immediately notified our customers and applied the recommended mitigations: blocking requests matching certain URL patterns and subsequently limiting access to instances where possible by applying IP Whitelisting. We only saw Cloudflare responding a bit faster.
Atlassian published additional mitigations (replacing certain jar and class files) and provided an updated timeline towards the release of a fixing solution. Once this was available, we immediately rolled out the patch to all customers automatically within hours - thanks to our fully automated operations stack.
Once again this incident clearly demonstrates how important it is to have reliable vulnerability management, proven operations processes and reliable infrastructure automation (infrastructure-as-code). We were able to respond immediately, ensuring that our customers’ systems are protected steadily.
In situations such as this, time really is key: a PoC exploit was released shortly after the vulnerability announcement, and we were seeing active exploit attempts only shortly after.
If you were not able to patch your systems in time or apply relevant mitigations, we are here to help you. We can support you in analysing if your systems were actually exploited and make sure you are protected once again, just contact us.