Atlassian has warned users of its Confluence collaboration tool that they should either restrict internet access to the software, or disable it, in light of a critical-rated unauthenticated remote-code-execution flaw in the product that is actively under attack.
An advisory dated June 2, 1300 PT (2000 UTC), does not describe the nature of the flaw, and reveals “current active exploitation” has been detected. No patch is available.
The flaw is present in version 7.18 of Confluence Server, which is under attack, as well as potentially versions 7.4 and higher of Confluence Server and Confluence Data Center. Version 7.4 is a long-term support edition.
“There are currently no fixed versions of Confluence Server and Data Center available,” the advisory states. “Atlassian is working with the highest priority to issue a fix.”
Atlassian suggests that while customers wait for the fix to land, they “should work with their security team to consider the best course of action.” The Australian software house’s “options to consider” are:
- Restricting Confluence Server and Data Center instances from the internet.
- Disabling Confluence Server and Data Center instances.
The first option is probably easier for most users to implement, though could cause significant disruption for remote workers unless there’s some kind of VPN solution in place. The second will definitely cause significant internal disruption.
No timeframe has been offered for delivery of a fix nor has Atlassian offered any hint about the complexity of work required to address the issue.
While any critical-rated flaw that’s under attack is very bad news, many Atlassian users may have dodged the bullet because version 7.18 of Confluence Server was announced on May 30 and is therefore unlikely to be widely deployed. Indeed, few may have been planning to adopt the new code, as version 7.19 is designated as a Long Term Support release.
Users of Confluence 7.4 have more to worry about, as that version was released in April 2020, and it is “potentially vulnerable,” according to Atlassian.
News of the flaw, tracked as CVE-2022-26134, comes after Atlassian’s cloud services experienced a two-week outage in April 2022. ®