Cyber Security

Skip to end of metadata
Go to start of metadata

Confluence Vulnerability CVE-2022-26134

Overview

A Confluence vulnerability emerged on the evening of June 2, 2022. Limited information was provided at the time of disclosure, which can be a good thing to slow attackers while a patch is developed.  The currently known vulnerability details can be found here. 

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

Due to this, access was temporarily restricted to the institutional Confluence install at commons.lbl.gov to only authenticated LBL accounts only.   This means that even content that was open to the public is temporarily only available via LBL login.   If your content was previously restricted to specific LBL accounts, that restriction remains.  

Many of our peer organizations are taking similar emergency action to block or restrict access to Confluence. 

Next Steps

We are continuing to evaluation the situation and take action to protect the Lab. The current restriction will be removed as soon as a better mitigation, such as a patch from the Confluence vendor, emerges. 

Update: The Confluence vendor has informed us a patch will be release on June 3, 2022.  We expect to apply this patch as soon as it becomes available and possibly lift the restrictions on June 3 as well. 

Update 2022-06-05 11:30AM: The Lab's main Confluence installation, commons.lbl.gov, has been patched and the temporary restrictions put in place on June 2nd have been lifted.

More information

This writeup demonstrates active exploitation.

https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/

Questions

If you have any further questions, please write us at [email protected]