CVE-2022-26134 kodu verilen kritik önemi olan Atlassian’ın Confluence ürünündeki Zero-day için, yamalanmış sürüm yayınlandı.
Confluence tarafından acil olarak update yapılması, eğer yapılamıyorsa WAF cihazlarınızda ${ ve $%7B parametrelerinin engellenmesini önerdi.
İlgili link: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
Update: This advisory has been updated since its original publication.
Specific updates include:
03 Jun 2022 10 AM PDT (Pacific Time, -7 hours)
- Updated with the fixed versions
- Removed interim advice about adding a WAF rule from the What You Need to Do section
03 Jun 2022 8 AM PDT (Pacific Time, -7 hours)
- Updating mitigation information to include replacement jar and class files
03 Jun 2022
- Clarifying the affected versions
- Adding a WAF rule to the What You Need to Do section
- Adding estimated timeframe for fixes to be available
Summary | CVE-2022-26134 – Critical severity unauthenticated remote code execution vulnerability in Confluence Server and Data Center |
---|---|
Advisory Release Date | 02 Jun 2022 1 PM PDT (Pacific Time, -7 hours) |
Affected Products | ConfluenceConfluence ServerConfluence Data Center |
Affected Versions | All supported versions of Confluence Server and Data Center are affected.Confluence Server and Data Center versions after 1.3.0 are affected. |
Fixed Versions | 7.4.17 7.13.7 7.14.3 7.15.2 7.16.4 7.17.4 7.18.1 |