Atlassian reveals critical Confluence RCE flaw, urges “immediate action” (CVE-2023-22527)

Atlassian has patched a critical vulnerability (CVE-2023-22527) in Confluence Data Center and Confluence Server that could lead to remote code execution.

CVE-2023-22527

The good news is that the flaw was fixed in early December 2023 with the release of versions 8.5.4 LTS (Data Center and Server) and 8.6.0 and 8.7.1 (only Data Center), so some customers have already upgraded to those or to later versions. The bad news is that some customers haven’t.

Atlassian hasn’t mentioned whether the vulnerability is being actively exploited, but has said that customers “must take immediate action to protect their Confluence instances.”

About CVE-2023-22527

CVE-2023-22527 is a template injection vulnerability that allows an unauthenticated attacker to achieve RCE on an affected version of Confluence Data Center and Confluence Server: 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3. There is no available workaround.

“Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular updates,” the company noted today (i.e., more than a month after releasing those updates).

Atlassian Cloud instances are not affected by this vulnerability, and neither is Confluence version 7.19.x.

Additional advice for customers

Vulnerable Confluence instances have been preferred targets of various threat actors over the years.

“If the Confluence instance cannot be accessed from the internet the risk of exploitation is reduced, but not completely mitigated,” the company added, and again “strongly recommended” upgrading to the latest version available.

If updating is impossible at this time, customers should take their system off the internet immediately, back up the data of the instance to a secure location outside of the Confluence instance, and engage their local security team to review for any potential malicious activity.

Unfortunately, Atlassian did not share possible indicators of compromise, as “the possibility of multiple entry points, along with chained attacks, makes it difficult to list [them all].”

UPDATE (January 17, 2024, 04:05 a.m. ET):

An Atlassian spokesperson confirmed for Help Net Security that they don’t have evidence of an active exploit.

“This previously unknown vulnerability came to us via our bug bounty program after we issued CVE-2023-22522. When patching for CVE-2023-22522 we also updated our feature and long-term support (LTS) versions with some planned security maintenance, which ultimately mitigated this new critical vulnerability as well. As such, CVE-2023-22527 affects only out-of-date Confluence Data Center and Server versions released before Dec. 5, 2023 as well as 8.4.5 which no longer receives backported fixes in accordance with our Security Bug Fix Policy,” they explained.

“CVE-2023-22527 is classified as CVSS 10, the highest critical rating, and affected customers are vulnerable to a remote code execution (RCE) attack by an unauthenticated attacker via any number of entry points as indicated in the CVSS vector string. The complex nature of the potential exploit as well as a wide variety of possible post-exploit activities, makes it difficult to list all possible indicators of a compromise. Affected customers must immediately patch to the latest version as per our Critical Security Advisory.”

UPDATE (January 22, 2024, 05:20 a.m. ET):

The Shadowserver Foundation says they have been seeing exploitation attempts since Friday (January 19, 2024).

UPDATE (January 23, 2024, 10:10 a.m. ET):

Technical details about and proof-of-concept exploit code for CVE-2023-22527 have been released.

UPDATE (August 28, 2024, 02:55 a.m. ET):

The vulnerability is being exploited by cryptojackers.

Don't miss