Vulnerability in Atlassian Confluence Server and Data Center allows attackers to remotely execute commands on the server

There are reports of massive attacks on Confluence Server using the CVE-2022-26134 vulnerability, which is used by hackers to install web shells (for example, Behinder).

According to bulletin Atlassian issue – non-authentication RCE vulnerability in Confluence Server and Data Center.

Confluence Server 7.18.0, Confluence Server and Data Center 7.4.0 and above can be considered vulnerable to attacks. Organizations using Atlassian Cloud are not affected. The maximum number of intrusions is now fixed for version 7.18.0.

The company recognized the level of vulnerability as critical. Information about it was received by the developers on May 31st.

During the attack, the attackers install their Java Server Pages web shell, which allows them to execute arbitrary code on the server, load the web shell, and then gain full access to the attacked resource.

At the moment, Atlassian has released updates 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which fix the problem.

If the update cannot be installed for one reason or another, the company offers a temporary workaround:

If the system is clustered, you need to execute the instructions on each server in the cluster!

For Confluence versions 7.15.0 – 7.18.0:

  1. Stop Confluence

  2. Download file: xwork-1.0.3-atlassian-10.jar

  3. Delete or move a file to another directory <confluence-install>/confluence/WEB-INF/lib/xwork-1.0.3-atlassian-8.jar

  4. Copy the xwork-1.0.3-atlassian-10.jar file to the /confluence/WEB-INF/lib/ directory

  5. Check permissions and owner on it

  6. Launch Confluence

For versions Confluence 7.0.0 – Confluence 7.14.2:

  1. Stop Confluence

  2. Download the following three files: xwork-1.0.3-atlassian-10.jar, webwork-2.1.5-atlassian-4.jar, CachedConfigurationProvider.class

  3. Delete or move files to another directory<confluence-install>/confluence/WEB-INF/lib/xwork- и <confluence-install>/confluence/WEB-INF/lib/webwork-2.1.5-atlassian-3.jar

  4. Copy the xwork-1.0.3-atlassian-10.jar file to the /confluence/WEB-INF/lib/ directory

  5. Copy file webwork-2.1.5-atlassian-4.jar into <confluence-install>/confluence/WEB-INF/lib/

  6. Check the permissions and ownership of these new files and make sure they match the permissions of other files in this folder

  7. Go to folder <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/setup

  8. Create a webwork folder in it

  9. Copy the CachedConfigurationProvider.class file into it

  10. Check permissions and owner on files /confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork и /confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork/CachedConfigurationProvider.class

  11. Launch Confluence