CVE-2022-26134

Applies specifically to Confluence 7.5 on AWS CloudFormation deployment using QuickStart templates, but can be generalised. Refer to the Atlassian docuemtnatrion for full details: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
This issue can also be addressed by upgrading to any of the following versions, or later...

  • 7.4.17 (LTS)

  • 7.13.7 (LTS)

  • 7.14.3

  • 7.15.2

  • 7.16.4

  • 7.17.4

  • 7.18.1

Logged in to AWS Confluence Node (as ec2-user)...

sudo su - root

systemctl stop confluence

mv /opt/atlassian/confluence/current/confluence/WEB-INF/lib/xwork-1.0.3.6.jar/tmp

mv /opt/atlassian/confluence/current/confluence/WEB-INF/lib/webwork-2.1.5-atlassian-3.jar /tmp

mv /tmp/xwork-1.0.3-atlassian-10.jar /opt/atlassian/confluence/current/confluence/WEB-INF/lib

mv /tmp/webwork-2.1.5-atlassian-4.jar /opt/atlassian/confluence/current/confluence/WEB-INF/lib

mkdir /opt/atlassian/confluence/current/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork

mv /tmp/CachedConfigurationProvider.class /opt/atlassian/confluence/current/confluence/WEB-INF/classes/com/atlassian/confluence/setup/webwork

systemctl start confluence

Once you are happy that the Change is successful...

rm /tmp/xwork-1.0.3.6.jar

rm /tmp/webwork-2.1.5-atlassian-3.jar

If you need to backout after the vulnerable jar files are deleted you should terminate the AWS instance, which should restart without this mitigation in place.

Note that you will also need to perform any other manual configuration changes you may have deployed for other issues.