FAQ for CVE-2022-26134
Atlassian is aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. Read more about Confluence Server and Data Center - CVE-2022-26134 - Critical severity unauthenticated remote code execution vulnerability.
This page contains frequently asked questions and answers about this vulnerability. The Atlassian Security Team will continuously update this page as new information becomes available.
Are Cloud instances affected?
No, Atlassian cloud instances are not vulnerable and no customer action is required.
Are other Atlassian Server (DC) products affected by this vulnerability?
This is a vulnerability specific to Confluence Server and Confluence Data Center and should not impact other Atlassian Server/DC products such as Crowd, Jira, Bitbucket or Bamboo. If you think your instance has been compromised, please work with local security teams to scope the full impact and mitigation plans. Please also contact Atlassian Support immediately by opening a high-priority support case.
Are Confluence Server/DC instances affected?
All supported versions of Confluence Server and Data Center are affected and Confluence Server and Data Center versions after 1.3.0 are impacted by the recent Confluence CVE-2022-26134 incident.
What needs to be done: Atlassian recommends that you upgrade to the latest Long Term Support release. For a full description of the latest version, see the Confluence Server and Data Center Release Notes. You can download the latest version from the download centre.
I need help upgrading, what should I do?
For detailed information and step-by-step instructions related to upgrading Confluence, please see Upgrading Confluence or Upgrading Confluence Manually. This is our recommended and supported method for upgrading Confluence. It contains all the information in this comment as well as other helpful tips to be sure your upgrade is successful.
The most important step to take to avoid production outages is to follow change management best practices by testing the upgrade in a staging environment first. For more information on how to set up a staging environment, see Create a staging environment for upgrading Confluence.
If you still have questions or concerns, please raise a support request at https://support.atlassian.com/
I'm seeing a user called "disabledsystemuser" inside Confluence. Is this normal or a symptom of a hacking attempt?
The user disabledsystemuser is a Confluence internal user, created by the plugin Confluence Questions in order to perform specific actions during the migration of Confluence server to Confluence Cloud event. This user can be safely ignored and it is not related to any security issue on Confluence side.
According to the security advisory raised we are vulnerable for our Confluence server instance. Can you please confirm this also affects services when running SSO?
Yes. As mentioned on the Confluence Security Advisory page for CVE-2022-26134, this is a critical severity unauthenticated remote code execution vulnerability. Confluence instance(s) are vulnerable regardless of the authentication mechanisms currently configured.
My instance is NOT connected to the internet, what should I do? Am I safe?
If the Confluence instance cannot be accessed from the general internet, the risk of an exploit/attack originating from there is negated. However, out of an abundance of caution, the guidance on the Confluence Security Advisory page for CVE-2022-26134 still applies. Due to the critical nature of this vulnerability and the variety of ways in which instances can be accessed, please work with local network/security team(s) to determine if mitigation is needed.
How does Atlassian decide who to send these emails to?
Atlassian sends a copy of all critical security advisories to the 'Alerts' mailing list for the product concerned, excluding Sourcetree. To ensure you are on this list, please update your email preferences at https://my.atlassian.com/email.
Can we determine if Confluence has already been compromised?
Unfortunately, Atlassian cannot confirm if a Confluence instance has been compromised. Please involve the local security team or a specialist security forensics firm for further investigation.
Atlassian recommends checking the integrity of the Confluence filesystem, for example comparison of artefacts in their current state with recent backups to see if there are any unexpected differences.
All security compromises are different, and there is a risk that an attacker could hide their footprint and change important files such as (syslogs, audit logs, access logs, etc.) depending on the component that has been compromised.
My instance isn't exposed to the Internet. Is an upgrade still recommended?
Yes. Upgrading to a fixed version of Confluence Server and Data Center is the only way to ensure that your instance is protected against CVE-2022-26134.
How do I know if the patch works? Will Atlassian give me more details so that I can have my security team test the fix?
In our public ticket for the issue, we share that this is an unauthenticated remote code execution vulnerability via OGNL template injection. While we can’t share the payloads which successfully exploit vulnerable instances, this may provide a good starting point for customers with penetration test teams.
The risk in sharing too much detail is that malicious actors would be able to develop an exploit to use against other vulnerable Confluence instances.