Ambientia's response to Atlassian CVE-2022-26134
Incident Report for Ambientia
Resolved
All immediately required actions have now been completed. We are closely monitoring the situation and are prepared to plan and implement additional actions, if the situation necessitates it.

You should consider patching as only a short term mitigation to security vulnerabilities.

Ambientia strongly recommends upgrade to a supported and fixed version of Confluence as the long-term solution to this security vulnerability. We will be in touch with our customers regarding upgrades shortly.
Posted Jun 06, 2022 - 13:28 EEST
Update
The patch has now been applied to all applicable Confluence instances under Ambientia's management.
Posted Jun 04, 2022 - 16:08 EEST
Update
We have begun the patching process and estimate that we are able to restore Ambientia managed Confluence installations to mitigated, working state during the next few hours. We will also remove any temporary IP-address restrictions that were put in place during Friday after the mitigation has been completed.

Atlassian has released mitigation instructions for Confluence versions for Confluence version 7.0.0 and above. The mitigation has not been tested on older Confluence versions, such as 6.x. We will assess the feasibility of patching these older installations as well, but in the case that we are not able to apply the patch to an installation, we will be in contact with affected customers regarding the situation later today (Saturday, 4th of June).
Posted Jun 04, 2022 - 10:52 EEST
Update
We have completed the planned service shutdowns.

We are now contacting customers regarding arranging IP-restricted access to their Confluence instances while we wait for the patch to be published.
Posted Jun 03, 2022 - 13:14 EEST
Update
We have begun the shutdown process for Confluence installations that are exposed to the internet. If your Confluence installation has been shut down, you can expect us to contact you within the coming hours to see if we are able to arrange a IP-restricted access to your Confluence installation for the time being.

Atlassian estimates that a fix for supported versions of Confluence will become available by end-of-day June 3 Pacific Daylight Time. This means that our customers can expect the patch to be applied sometime during Saturday 4th of June at earliest. We are closely monitoring the situation and will start the patching process as soon as possible.

As always, you should consider patching as only a short term mitigation to security vulnerabilities. Ambientia strongly recommends upgrade to a supported and fixed version of Confluence as the long-term solution to this security vulnerability.
Posted Jun 03, 2022 - 10:53 EEST
Identified
On the morning of Friday 3rd of June 2022, Ambientia has been made aware of a zero-day vulnerability in Atlassian Confluence. Using this vulnerability, a remote, unauthenticated attacker can execute arbitrary code on the target system with the privileges of the user Confluence software is running as.

As of Friday 3.6. 09:00 EEST there is no patch for this vulnerability, yet it is actively exploited in the wild. The current understanding is that the vulnerability affects all (or nearly all) Confluence versions to date.

To protect our customers from this vulnerability, we have decided to take the following course of action:

1) All Confluence instances managed by Ambientia and accessible from the public internet will be shut down while we wait for the patch to become available
2) We will be in contact with our customers to see if it is possible to temporarily arrange access to their Confluence instance by allowlisting customer's IP ranges
3) When Atlassian issues a patch for the issue, we will install it without delay and bring all Confluence installations back up and remove any IP access restrictions (if any) that have been temporarily put in place

Atlassian's official advisory can be found here: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

We are actively monitoring the situation and will start the patching process as soon a patch becomes available.

Please note that this vulnerability does not affect Atlassian Cloud version of Confluence.
Posted Jun 03, 2022 - 09:10 EEST