This vulnerability is only found in on-prem versions of Confluence Server and Confluence Data Center. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable.
On June 2, 2022, Atlassian announced that a critical remote code execution (RCE) vulnerability was found in their Confluence Server and Confluence Data Center products. It has been identified as CVE-2022-26134.
This vulnerability affects on-prem hosted versions of the products; it allows bad actors to bypass authentication and execute commands with root privileges. Successful exploits could allow attackers to gain root access to Confluence Server and Confluence Data Center. This includes installing additional backdoors, executing malicious code, and copying sensitive data back to the attacker.
On June 3, Atlassian released updated Long Term Support versions of both products that contained a fix for the vulnerability.
Is Bitsight vulnerable to CVE-2022-26134?
Bitsight is an Atlassian customer; we use the cloud version of Confluence, and are thus not exposed to the on-prem vulnerability.
- Atlassian, "Confluence Security Advisory 2022-06-02"
- Bitsight Blog, "What the Confluence vulnerability (CVE-2022-26134) means for your business"
- Volexity, "Zero-Day Exploitation of Confluence Server Vulnerability"
- Vulmon, "Vulnerability Details and Other Resources"
What You Can Do
Determine if you’re affected
According to Atlassian, all supported versions (after 1.3.0) of Confluence Server and Confluence Data Center are affected by CVE-2022-26134. Versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 contain a fix for the vulnerability.
To determine if you’re affected, confirm which version of the software you use and make sure you have the latest update installed.
Search your portfolio
Our Security Research team is testing a plugin to identify entities who are likely to be vulnerable based on their use of specific versions of the affected products. Due to the nature of this vulnerability, we are unable to confirm with high confidence whether or not detected versions are remediated or still exposed. This low-confidence data will be available upon request once the plugin is live.
In the meantime, you can search for potentially vulnerable entities using three CVEs from previous Confluence vulnerabilities. The CVEs are:
While the vulnerabilities themselves are different from CVE-2022-26134, this method provides a proxy for use of the relevant products.
To open an instance of the Companies List filtered for these CVEs, click here.
To quickly access this filtered view in the future, select Save Filter Set.
Collaborate with third parties
Facilitate collaboration with affected third parties using the Enable Access Program.
- Contact affected organizations to confirm their use of the on-prem Confluence Server or Confluence Data Center products.
- Determine what steps they're taking to confirm or refute that they've been affected and ask that they keep you informed on the state of their investigation.