Detecting and mitigating CVE-2022-26134: Zero day at Atlassian Confluence

A new zero day vulnerability actively exploited in the wild has been found in Atlassian Confluence. The vulnerability CVE-2022-26134 affects all supported versions of Confluence Server and Confluence Data Center allowing an unauthenticated user to run arbitrary commands remotely.

The Atlassian team confirmed the vulnerability with an official tweet and then also published a security advisory to update its customers.

It is still not clear which are the earliest affected versions of Confluence Server and Confluence Data Center. What is known is that the vulnerability is already being exploited by attackers and there are no patches available at the time of this writing.

CVE-2022-26134 Atlassian Confluence zero day

In this article, we are going to cover what we currently know about vulnerability CVE-2022-26134, why it is so dangerous, and how to detect it with Falco rules.

What is Atlassian Confluence?

Confluence is a very popular wiki tool that simplifies team collaboration and knowledge sharing.

In August 2021, Atlassian disclosed the vulnerability CVE-2021-26084 that could enable a threat actor to run arbitrary code on unpatched Confluence Server and Data Center instances.

Almost one year later, during the Memorial Day weekend in the United States, Volexity discovered a new vulnerability in Confluence. It was found after suspicious activity was detected during a Volexity incident investigation, evidence was seen that indicated a new vulnerability is being exploited in the wild.

In this case, CVE-2022-26134 is a critical vulnerability allowing remote code execution by unauthenticated users. At the present time it has no patches available nor are there any proof of concepts released. It has been suggested by Volexity that multiple threat actors are currently leveraging this exploit.

The impact of CVE-2022-26134

The impact of the vulnerability CVE-2022-26134 is widespread due to the fact that it affects all the supported Confluence Server and Data Center.

Atlassian Cloud sites are not affected by this vulnerability.

Exploiting this vulnerability allows remote command execution on the impacted systems for unauthenticated users. It means that attackers can run arbitrary commands and gain full control of an affected Confluence environment without any authentication.

In a nutshell, as long as any impacted Confluence Server or Data Center instance is reachable on the network it can be exploited by malicious actors. For this reason, this vulnerability is considered critical. However, at the time of this writing, a CVSS score has not yet been assigned to the CVE.

No exploits have been publicly disclosed yet. The complexity or details of the exploit are not known yet which makes prevention and detection difficult.

Detecting CVE-2022-26134

The Volexity blog post reported the attack found in their customers’ hosts.

What can immediately sound suspicious from the scenario they reported is that the execution dumped from the hosts memory belonged to a strange process tree. Something like this:


And so a bash process, spawned by a python one, whose father was another bash one and then the java root process name. Such a kind of execution can be easily detected with Falco.

Falco, a CNCF incubating project, is an open source tool that detects anomalous executions at runtime in your cloud-native environments. In order to detect suspicious runs, like the process tree described before, you can use this Falco rule:

- macro: java_bash_python_bash
  condition: in (shell_binaries) and proc.pname contains "python" and proc.aname[2] in (shell_binaries) and proc.aname[3]=java
- macro: java_python_bash
  condition: in (shell_binaries) and proc.pname contains "python" and proc.aname[2]=java
- rule: Suspicious Java Child Processes
  desc: Detect suspicious process trees involving Java that are used to exploit Remote Code Execution
  condition: spawned_process and (java_bash_python_bash or java_python_bash)
  output: Detecting Suspicious Java Child Processes (command=%proc.cmdline user_login uid=%user.loginuid image=%container.image.repository)
  priority: WARNING

Moreover the Volexity team has also provided the IoCs exploiting or interacting with the Confluence Servers. If you want to trigger alerts if any of these indicators are reached in outbound by your instances, you can fill the c2_server_ip_list list with the reported IP addresses and use the following rule:

- list: c2_server_ip_list
  items: []
- rule: Outbound Connection to C2 Servers
  desc: Detect outbound connection to command & control servers
  condition: outbound and fd.sip in (c2_server_ip_list)
  output: Outbound connection to C2 server (command=%proc.cmdline user_loginuid=%user.loginuid image=%container.image.repository)
  priority: WARNING
  tags: [network]

These indicators, along with many others, are already provided to Sysdig customers and will be constantly updated as the Sysdig Threat Research Team discovers them.

Mitigating CVE-2022-26134

We strongly recommend that you update your vulnerable instances as soon as a patch is released. As there are no patches to fix this vulnerability available yet, the Atlassian security advisory suggests:

  • Enforce access restrictions to the Confluence Server and Data Center instances from the internet.
  • Disable Confluence Server and Data Center instances.

An alternative to the previous two approaches, which are certainly the safest and the most effective, implementing a WAF (Web Application Firewall) rule that blocks URLs containing ${ may reduce your risks. This string is often used for a template or variable replacement.

It is not confirmed yet that this will provide any actual protection from this vulnerability being exploited.


The CVE-2022-26134 is a new critical vulnerability affecting all the supported versions of Confluence Server and Data Center.

It is already being exploited in the wild by malicious actors to run arbitrary executions and to grant full control over the impacted systems. Until a patch is published by the Atlassian team, to prevent any exposure of impacted instances the suggestion is to disable them or to reduce their access from the internet.

Instead, if you are unable to take these actions, you can adopt Falco to detect possible intrusions.

After that, if you would like to find out more about Falco:

The post Detecting and mitigating CVE-2022-26134: Zero day at Atlassian Confluence appeared first on Sysdig.

Article Link: Detecting and mitigating CVE-2022-26134: Zero day at Atlassian Confluence – Sysdig