Confluence issued a security advisory for a critical vulnerability impacting Confluence Data Center & Server, which is commonly used for collaboration and development. Note that the vulnerability does not impact Atlassian-hosted SaaS applications. Atlassian warns that customers running out-of-date versions are vulnerable to exploitation, including remote code execution by attackers. We recommend your organization immediately update to the latest version.
This vulnerability affects out-of-date Confluence Data Center and Server 8 versions released before Dec. 5, 2023 as well as 8.4.5, which no longer receives backported fixes in accordance with Atlassian’s Security Bug Fix Policy.
Corvus has observed similar vulnerabilities lead to data theft and ransomware attacks. There are no known workarounds for this vulnerability. To remediate, update each affected product installation to the latest version.
Note: Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
We encourage your organization to take the following steps to mitigate against potential attack:
Fixed Versions: 8.5.4 (LTS)
Latest Versions: 8.5.5 (LTS)
Fixed Versions: 8.6.0 (Data Center Only), 8.7.1 (Data Center Only)
Latest Versions: 8.7.2 (Data Center Only)