Skip to main content

CVE-2022-26134 - Confluence RCE

This Playbook is part of the CVE-2022-26134 - Confluence RCE Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Atlassian has been made aware of the current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.

All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability.

Atlassian has released the following versions to address this issue:

Released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1 which contain a fix for this issue.

This playbook includes the following tasks:

  • Collect detection rules.
  • Exploitation patterns & IoCs hunting using PANW Next-Generation Firewalls and 3rd party SIEM products.
  • Cortex Xpanse policies coverage.
  • Provides Atlassian workarounds and patched versions.

More information:

Threat Brief: Atlassian Confluence Remote Code Execution Vulnerability (CVE-2022-26134) Confluence Security Advisory 2022-06-02

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • QRadar Indicator Hunting V2
  • Panorama Query Logs
  • Palo Alto Networks - Hunting And Threat Detection
  • Splunk Indicator Hunting
  • Block Indicators - Generic v3
  • QRadar search for suspicious Java child process


  • Elasticsearch v2


  • http
  • IsIntegrationAvailable
  • ParseHTMLIndicators


  • extractIndicators
  • expanse-get-issues
  • closeInvestigation
  • createNewIndicator
  • splunk-search
  • search
  • associateIndicatorsToIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
SplunkEarliestTimeSplunk search earliest time.-7d@dOptional
SplunkLatestTimeSplunk search latest time.nowOptional
SplunkIndexThe Splunk index field to search in.
Default is "*"
EDLDomainBlocklistThe EDL domain blocklist name.Optional
BlockIndicatorsAutomaticallyWhether to block the indicators automatically or not.TrueOptional
QRadarTimeRangeThe time range for QRadar query.Last 7 DAYSOptional
ElasticIndexElastic's index name in which to search.Optional
UserVerificationPossible values: True/False.
Whether to provide user verification for blocking IPs.

False - No prompt will be displayed to the user.
True - The server will ask the user for blocking verification and will display the blocking list.
Should the given indicators be automatically blocked, or should the user be given the option to choose?

If set to False - no prompt will appear, and all provided indicators will be blocked automatically.
If set to True - the user will be prompted to select which indicators to block.

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

CVE-2022-26134 - Confluence RCE