How To Fix CVE-2022-26134- A Critical Unauthenticated RCE Vulnerability In Confluence Server And Data Center

Atlassian has notified a critical unauthenticated, remote code execution vulnerability that impacts the Confluence Server and Data Center products actively exploited by the malicious actors. It’s essential to fix and mitigate this critical vulnerability. This article will discuss how to fix CVE-2022-26134, an unauthenticated RCE vulnerability in Confluence Server and Data Center.

What Is Confluence Server And Data Center?

Confluence Server and Data Center are versions of Confluence designed for large organizations. Confluence Server is deployed on-premises, while Confluence Data Center is deployed in the cloud. Both versions offer high availability and performance at scale. Confluence Server and Data Center offer a number of features not available in the Confluence Cloud version, including:

If you’re looking for an enterprise-grade Confluence solution, Confluence Server or Data Center is the way to go.

Summary Of CVE-2022-26134:

Atlassian has disclosed the current active exploitation of a critical unauthenticated, remote code execution vulnerability CVE-2022-26134 in Confluence Server and Data Center. The OGNL injection allows an unauthenticated user to run arbitrary code on a Confluence Data Center or Server instance. According to Atlassian, the severity level of CVE-2022-26134 is critical. 

Confluence Server And Data Center Versions Affected By CVE-2022-26134:

Affected Products:

Affected Versions:

All supported versions of the Confluence Server and Data Center are impacted.

How To Fix CVE-2022-26134- A Critical Unauthenticated RCE Vulnerability In Confluence Server And Data Center?

Atlassian reported that they had fixed the flaw in versions mentioned below. Atlassian recommends upgrading to any of these versions or the latest long-term support release.

Follow these steps to upgrade your Confluence site to the latest version on Windows and Linux.

Before you start, you need to answer the following question.

Step 1. Plan Your Upgrade

Use this table to determine the most effective upgrade to the latest Confluence version from the current version.
You can upgrade with no downtime if you are upgrading to the next vulnerability fix update.

Enterprise releases
A long-term support release is a feature release getting backported critical security upgrades and critical fixes during their entire two-year support window. Consider upgrading to a long term support release if you can only upgrade once a year. 

Step 2. Complete the Pre-Upgrade Checks

Check the Upgrade Notes for the planned upgrade version.* Go to Settings > General Configuration > Plan your upgrade. Select the desired upgrade version.
* Go to Setting > General Configuration > Troubleshooting and support tools to execute the health check.
* Go to Settings > Manage apps and then Confluence Update Check for checking Marketplace application compatibility.
* Select the desired version upgrade and click Check.

Step 3. Upgrade Confluence in the test environment

* Create a staging copy of the current production environment. See this guide to create a test environment.
* Follow the steps below to update the test environment,
* Test the unsupported user-installed applications, customizations, and proxy configuration before updating your production environment.

Step 4. Take Backup

* Back up the database and confirm that backup was properly created.* Backup the installation directory* Backup the home directory

Step 5. Download the latest Confluence file

Download the installer for the operating system* For the latest version, click here.* For older versions, click here.

Step 6. Run the Installer

1. Run the installer
2. Follow prompts to upgrade Confluence
When prompted, select Upgrade an existing Confluence installation.Ensure that the Existing Confluence installation directory suggested is correct.Backup Confluence home is highly recommended. It will create a .zip backup.The installation wizard alerts you of customization. Note them as you will need to reapply later.
3. The wizard will shut down the Confluence instance and progress with the update. Once completed, it will restart the Confluence once completed, and you can launch it in your browser to confirm a successful upgrade.

Step 7. Copy Your Database Driver

If you are using MySQL or Oracle database, you need to copy the JDBC driver jar file from the existing Confluence installation directory to confluence/WEB-INF/lib in the new installation directory. 

Step8. Reinstall the Service if Required

If you execute Confluence as a service on Windows, you need to delete existing services and then reinstall the service by running  <install-directory>/bin/service.bat. It will ensure the service gets the most recent JVM option. 

Step9. Reapply Any Modification

During the update, wizard migrated these from the existing Confluence installation: 
* TCP port values in <install-directory>/conf/server.xml file.* Location of Confluence home directory in <install-directory>/confluence/WEB-INF/classes/confluence-init.properties.

Step10. Update the Reverse Proxy

Update your reverse proxy and check if you can access the Confluence. If you upgrade from Confluence 5.x to Confluence 6.x, you should modify the reverse proxy to add Synchrony. It is needed for collaborative editing. Check Proxy and SSL considerations for more information on modifications to proxy config. 
Once your update is complete, you need to access Confluence and
* Go to Settings > General Configuration > Collaborative editing and see the Synchrony status is running.* Edit the page to check that the browser can connect to Synchrony.

How To Mitigate CVE-2022-26134?

If you can’t upgrade Confluence promptly, you can mitigate the CVE-2022-26134 vulnerability as a temporary workaround by updating these files for a specific product version.

For Confluence 7.15.0-7.18.0

If the Confluence is running in a cluster, there is a need to repeat this process on all nodes. There is no need to shut down the whole cluster to apply this mitigation. 

<confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3-atlassian-8.jar

If you execute Confluence in a cluster, ensure to apply the mentioned update on all your nodes.

For Confluence 7.0.0 – Confluence 7.14.2

If you run a Confluence in a cluster, there is a need to repeat this process on every node. You should not shut down the whole cluster to apply this mitigation.

3. Delete on move these files outside the Confluence install directory.

<confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3.6.jar<confluence-install>/confluence/WEB-INF/lib/webwork-2.1.5-atlassian-3.jar

4. Copy the downloaded xwork-1.0.3-atlassian-10.jar into 

<confluence-install>/confluence/WEB-INF/lib/

5. Copy the downloaded webwork-2.1.5-atlassian-4.jar into 

<confluence-install>/confluence/WEB-INF/lib/

6. Check the ownership and permissions on both files matches existing files in the same directory.

7. Change to directory 

<confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup

<confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork

<confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork<confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork/CachedConfigurationProvider.class

8. Start Confluence.

If you run the Confluence in a cluster, ensure you apply the mentioned update on all nodes.

We hope this post would help you how to fix CVE-2022-26134, an unauthenticated RCE vulnerability in Confluence Server and Data Center. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.

You may also like these articles: