CVE-2022-26134 Atlassian CVE debrief

Who should care

Security and infrastructure teams responsible for Atlassian Confluence Server/Data Center should treat this as urgent, especially if any instance is reachable from the internet or otherwise difficult to isolate.

Technical summary

The source corpus identifies CVE-2022-26134 as a remote code execution issue in Atlassian Confluence Server/Data Center. CISA’s KEV entry classifies it as known exploited and notes known ransomware campaign use. The listed remediation guidance is to immediately block all internet traffic to and from affected products and apply the vendor update per Atlassian’s security advisory, or remove affected products by the due date.

Defensive priority

Highest priority. This is a KEV-listed vulnerability with active exploitation indicators and a short remediation window, so exposure reduction and patching/removal should be immediate.

Recommended defensive actions

• Immediately block all internet traffic to and from affected Atlassian Confluence Server/Data Center systems, consistent with CISA guidance.
• Apply the vendor update using Atlassian’s security advisory and change guidance.
• If patching cannot be completed by the due date, remove the affected product from service.
• After successful update, reassess and relax internet-blocking rules only as appropriate.
• Verify whether any Confluence instances are affected and track remediation completion against the KEV due date.

Evidence notes

Based on the supplied CISA KEV source item and timeline fields: published 2022-06-02, modified 2022-06-02, KEV date added 2022-06-02, due date 2022-06-06, and known ransomware campaign use marked as Known. The source item’s required action explicitly instructs blocking internet traffic and applying the vendor update per Atlassian’s advisory.

Official resources