Threat Advisory

Atlassian Zero-day Vulnerability

June 7, 2022 | By Accorian

A critical remote code execution vulnerability was discovered in Atlassian’s Confluence Server and Data Centre products. The vulnerability has been assigned CVE-2022-26134 and is actively being exploited in the wild. All supported versions of Confluence Server and Data Centre are affected; however, it is anticipated that all versions of the enterprise solution are potentially vulnerable. A successful attack can result in an unauthenticated attacker gaining remote code execution of the unpatched server. 

CVE-2022-26134 was detected by a cybersecurity firm, Volexity. Volexity also discovered that the zero-day vulnerability was used to install a BEHINDER JSP web shell allowing the attackers to execute commands on the vulnerable server remotely. Along with the BEHINDER web shell, they also deployed the China Chopper web shell and a simple file upload tool as a backup mechanism to maintain access to the compromised server.

On Friday, June 3, Atlassian released patches which addressed the vulnerability. The patched versions are 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1. If it is not feasible to upgrade immediately, Atlassian has suggested customers restrict Confluence Server and Data Centre instances from the internet or disable the instances altogether. Additionally, Atlassian also urged implementing a web application firewall (WAF) rule which blocks URLs containing “${” to reduce the risk.

Accorian recommends ensuring that the latest patches have been installed along with the workarounds released by Atlassian. 

Accorian can help identify such vulnerabilities in your environment. Simply reply back to this mail and one of your team members will get in touch with you.


Recent Post

Ready to Start?

Ready to Start?​

Drop your CVs to

Interested Position

Download Case study

Download SOC2 Guide