• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2022-26134- A Critical Unauthenticated RCE Vulnerability In Confluence Server And Data Center
How to Fix CVE-2022-26134- A Critical Unauthenticated RCE Vulnerability in Confluence Server and Data Center

Atlassian has notified a critical unauthenticated, remote code execution vulnerability that impacts the Confluence Server and Data Center products actively exploited by the malicious actors. It’s essential to fix and mitigate this critical vulnerability. This article will discuss how to fix CVE-2022-26134, an unauthenticated RCE vulnerability in Confluence Server and Data Center.

What Is Confluence Server And Data Center?

Confluence Server and Data Center are versions of Confluence designed for large organizations. Confluence Server is deployed on-premises, while Confluence Data Center is deployed in the cloud. Both versions offer high availability and performance at scale. Confluence Server and Data Center offer a number of features not available in the Confluence Cloud version, including:

  1. Granular permissions: Confluence Server and Data Center allow you to set up granular permissions, so you can control who has access to what information.
  2. Active Directory integration: Confluence Server and Data Center can be integrated with Active Directory, making it easy to manage user accounts and permissions.
  3. Backup and restore: Confluence Server and Data Center include built-in backup and restore capabilities, so you can always revert to a previous version if something goes wrong.
  4. Single sign-on: Confluence Server and Data Center support single sign-on (SSO), so users only have to remember one set of credentials to access Confluence and other applications.

If you’re looking for an enterprise-grade Confluence solution, Confluence Server or Data Center is the way to go.

Summary Of CVE-2022-26134:

Atlassian has disclosed the current active exploitation of a critical unauthenticated, remote code execution vulnerability CVE-2022-26134 in Confluence Server and Data Center. The OGNL injection allows an unauthenticated user to run arbitrary code on a Confluence Data Center or Server instance. According to Atlassian, the severity level of CVE-2022-26134 is critical. 

Confluence Server And Data Center Versions Affected By CVE-2022-26134:

Affected Products:

  • Confluence Server
  • Confluence Data Center

Affected Versions:

All supported versions of the Confluence Server and Data Center are impacted.

How To Fix CVE-2022-26134- A Critical Unauthenticated RCE Vulnerability In Confluence Server And Data Center?

Atlassian reported that they had fixed the flaw in versions mentioned below. Atlassian recommends upgrading to any of these versions or the latest long-term support release.

  • 7.4.17
  • 7.13.7
  • 7.14.3
  • 7.15.2
  • 7.16.4
  • 7.17.4
  • 7.18.1

Follow these steps to upgrade your Confluence site to the latest version on Windows and Linux.

Before you start, you need to answer the following question.

  • Which upgrade method is the best option?
  • Have Atlassian’s supported platform changes?
  • Are you eligible to upgrade?
  • Do you need to make changes to your environment?

How to Fix CVE-2022-26134, A Critical Unauthenticated RCE Vulnerability in Confluence Server and Data Center

  1. Plan Your Upgrade

    Use this table to determine the most effective upgrade to the latest Confluence version from the current version.

    You can upgrade with no downtime if you are upgrading to the next vulnerability fix update.

    Enterprise releases
    A long-term support release is a feature release getting backported critical security upgrades and critical fixes during their entire two-year support window. Consider upgrading to a long term support release if you can only upgrade once a year. 

    Screen Shot 2022-06-08 at 4.29

  2. Complete the Pre-Upgrade Checks

    Check the Upgrade Notes for the planned upgrade version.
    * Go to Settings > General Configuration > Plan your upgrade. Select the desired upgrade version.

    * Go to Setting > General Configuration > Troubleshooting and support tools to execute the health check.

    * Go to Settings > Manage apps and then Confluence Update Check for checking Marketplace application compatibility.

    * Select the desired version upgrade and click Check.

  3. Upgrade Confluence in the test environment

    * Create a staging copy of the current production environment. See this guide to create a test environment.

    * Follow the steps below to update the test environment,

    * Test the unsupported user-installed applications, customizations, and proxy configuration before updating your production environment.

  4. Take Backup

    * Back up the database and confirm that backup was properly created.
    * Backup the installation directory
    * Backup the home directory

  5.  Download the latest Confluence file

    Download the installer for the operating system
    * For the latest version, click here.
    * For older versions, click here.

  6. Run the Installer

    1. Run the installer

    2. Follow prompts to upgrade Confluence

    When prompted, select Upgrade an existing Confluence installation.
    Ensure that the Existing Confluence installation directory suggested is correct.
    Backup Confluence home is highly recommended. It will create a .zip backup.
    The installation wizard alerts you of customization. Note them as you will need to reapply later.

    3. The wizard will shut down the Confluence instance and progress with the update. Once completed, it will restart the Confluence once completed, and you can launch it in your browser to confirm a successful upgrade.

  7. Copy Your Database Driver

    If you are using MySQL or Oracle database, you need to copy the JDBC driver jar file from the existing Confluence installation directory to confluence/WEB-INF/lib in the new installation directory. 

  8.  Reinstall the Service if Required

    If you execute Confluence as a service on Windows, you need to delete existing services and then reinstall the service by running  <install-directory>/bin/service.bat. It will ensure the service gets the most recent JVM option. 

  9. Reapply Any Modification

    During the update, wizard migrated these from the existing Confluence installation: 

    * TCP port values in <install-directory>/conf/server.xml file.
    * Location of Confluence home directory in <install-directory>/confluence/WEB-INF/classes/confluence-init.properties.

  10. Update the Reverse Proxy

    Update your reverse proxy and check if you can access the Confluence. If you upgrade from Confluence 5.x to Confluence 6.x, you should modify the reverse proxy to add Synchrony. It is needed for collaborative editing. Check Proxy and SSL considerations for more information on modifications to proxy config. 

    Once your update is complete, you need to access Confluence and

    * Go to Settings > General Configuration > Collaborative editing and see the Synchrony status is running.
    * Edit the page to check that the browser can connect to Synchrony.

How To Mitigate CVE-2022-26134?

If you can’t upgrade Confluence promptly, you can mitigate the CVE-2022-26134 vulnerability as a temporary workaround by updating these files for a specific product version.

For Confluence 7.15.0-7.18.0

If the Confluence is running in a cluster, there is a need to repeat this process on all nodes. There is no need to shut down the whole cluster to apply this mitigation. 

  • Shut down the Confluence.
  • Download the xwork-1.0.3-atlassian-10.jar file to the Confluence server.
  • Delete or move the downloaded file outside of the Confluence install directory.

<confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3-atlassian-8.jar

  • Copy the downloaded file into <confluence-install>/confluence/WEB-INF/lib/
  • Check permissions and ownership on the new xwork-1.0.3-atlassian-10.jar file matches the existing files in the same directory.
  • Start the Confluence.

If you execute Confluence in a cluster, ensure to apply the mentioned update on all your nodes.

For Confluence 7.0.0 – Confluence 7.14.2

If you run a Confluence in a cluster, there is a need to repeat this process on every node. You should not shut down the whole cluster to apply this mitigation.

  1. Shut down the Confluence.
  2. Download these files to the Confluence server.
  • xwork-1.0.3-atlassian-10.jar
  • webwork-2.1.5-atlassian-4.jar
  • CachedConfigurationProvider.class

3. Delete on move these files outside the Confluence install directory.

<confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3.6.jar<confluence-install>/confluence/WEB-INF/lib/webwork-2.1.5-atlassian-3.jar

4. Copy the downloaded xwork-1.0.3-atlassian-10.jar into 

<confluence-install>/confluence/WEB-INF/lib/

5. Copy the downloaded webwork-2.1.5-atlassian-4.jar into 

<confluence-install>/confluence/WEB-INF/lib/

6. Check the ownership and permissions on both files matches existing files in the same directory.

7. Change to directory 

<confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup

  • Create a new directory, webwork.
  • Copy CachedConfigurationProvider.class into 

<confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork

  • Make sure the ownership and permissions are correct for 

<confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork<confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork/CachedConfigurationProvider.class

8. Start Confluence.

If you run the Confluence in a cluster, ensure you apply the mentioned update on all nodes.

We hope this post will help you how to fix CVE-2022-26134, an unauthenticated RCE vulnerability in Confluence Server and Data Center. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

To know more about me. Follow me on LinkedIn
Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.