In the next few hours we are starting to deploy improvements to the security posture of all customer applications within WAF-as-a-Service in order to provide better protection against the Atlassian Confluence Remote Code Execution Vulnerability (CVE-2022-26134).

This change will be deployed passively within in the default WAF-as-a-Service policy for URL Protection, specifically within the detection for OS Command Injection. We are doing this passively because there is a potential for false positives with the required security patterns. That means this mitigation will only log attacks against this CVE.

Please note that the rollout may take up to 6 hours before it has completed across our entire global customer estate.

If you have an internet facing Atlassian Confluence server, you should consider adding the manual rule we describe in Barracuda Campus to the URL Access & Redirects component.

For more information about the is CVE, please see the Barracuda Blog.

For any additional help, please contact Barracuda Support.