Confluence Vulnerability CVE-2022-26134
A Confluence vulnerability emerged on the evening of June 2, 2022. Limited information was provided at the time of disclosure, which can be a good thing to slow attackers while a patch is developed. The currently known vulnerability details can be found here.
Due to this, access was temporarily restricted to the institutional Confluence install at commons.lbl.gov to only authenticated LBL accounts only. This means that even content that was open to the public is temporarily only available via LBL login. If your content was previously restricted to specific LBL accounts, that restriction remains.
Many of our peer organizations are taking similar emergency action to block or restrict access to Confluence.
We are continuing to evaluation the situation and take action to protect the Lab. The current restriction will be removed as soon as a better mitigation, such as a patch from the Confluence vendor, emerges.
Update: The Confluence vendor has informed us a patch will be release on June 3, 2022. We expect to apply this patch as soon as it becomes available and possibly lift the restrictions on June 3 as well.
Update 2022-06-05 11:30AM: The Lab's main Confluence installation, commons.lbl.gov, has been patched and the temporary restrictions put in place on June 2nd have been lifted.
This writeup demonstrates active exploitation.
If you have any further questions, please write us at [email protected]