On June 2, Atlassian released a security advisory for their Confluence Server and Data Center apps, detailing a critical remote code execution vulnerability. This vulnerability is CVE-2022-26134 Confluence Server and Data Center versions greater than 1.3.0. On Friday, June 3rd, the US Cybersecurity and Infrastructure Security Agency issued an advisory in which it urged companies affected by this CVE to “block all internet traffic to and from those devices until an update is available and successfully applied.” On the same day at 1845 UTC, Atlassian released a patch and all Confluence customers should have updated immediately.
For NetFoundry customers, CVE-2022-026134 was mainly a non-event. NetFoundry customers were default protected, because NetFoundry’s secure by design architecture uniquely enables our customers to close all the inbound firewall ports in front of their self-hosted Confluence servers. They were compliant to the CISA advisory already.
This meant the vulnerability could not be accessed from unauthorized endpoints. Importantly, it meant NetFoundry customers could do patch testing and implementation on their terms – there wasn’t a dangerous fire burning in the meantime.
Nor did NetFoundry customers need to rush to adjust all their firewall rules – their firewalls in front of their Confluence servers were already set with one simple inbound firewall rule: deny-all.
NetFoundry Mitigation of CVE-2022-026134
As defined by MITRE ATT&CK, the NetFoundry Secure by Design approach acts proactively to disrupt the Reconnaissance and Initial Access Tactics by making targeted applications unreachable from the networks. In practice, this means NetFoundry customers gain an additional layer of security, even against zero day vulnerabilities, because the solution makes it extraordinarily difficult for actors to reach those vulnerabilities.
Of course, breaches are always possible, and so the NetFoundry zero trust networking solution leverages app level microsegmentation to minimize the blast radius of a successful exploit within a network and isolate it – for example, not allowing hostile software to spread through a network, or preventing malware like ransomware from ‘calling home’.
How does this work? NetFoundry customers:
- close all inbound firewall ports – eliminate network connectivity
- require strong identity, authentication and authorization to request a zero trust network connection
- authorized sessions establish outbound only, least privileged access sessions
- private Fabric Routers broker both sides of the connection
Critically, the above is made simple by NetFoundry SaaS services, and its underlying open source software, OpenZiti. For example, NetFoundry customers use a web console or orchestration API to spin up multicloud native networks in minutes! These networks enforce the zero trust networking architecture described above.
These zero trust networks do more than connect users to apps – they support all use cases including app server to database, API security, remote management (e.g. RDP), IoT, edge, supply chain and multicloud.
Why is secure by design so critical?
Atlassian Confluence CVE-2022-26134 is yet another example of how the methods of exploitation of vulnerabilities travel faster than patches and update procedures. Updating firewall rules and software is simply too late. Even if the vendor of a vulnerable software package quickly produces a patch, as Atlassian did in this case, too many users are left to clean up the mess already made by attackers exploiting the software, or at the very least to interrupt drive their businesses to apply emergency patches and firewall rules to all their firewalls.
However, with NetFoundry’s unique Secure by Design architecture, the barn door is always closed, proactively. Inbound firewall ports are closed and IP addresses are no longer exposed. The barn door is closed via cloud-orchestrated software, identification, authentication, authorization, least privileged access and microsegmentation. Nobody knows where the next CVE will be – this approach therefore mitigates the risk that the CVE can be exploited from the networks.
You can start now with our free forever SaaS (for up to 10 nodes), and get a zero trust network up and running in minutes, without deploying any infrastructure. Similarly, you can tour OpenZiti open source zero trust networking, or take a deep dive into the zero trust networking architecture.