[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2023-22527 Atlassian Confluence Data Center and Server Template Injection Vulnerability

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Wed Jan 24 10:14:59 PST 2024 

Good morning,

The SOC Services team is reporting on the vulnerability: CVE-2023-22527 Atlassian Confluence Data Center and Server Template Injection Vulnerability.  Due to its high visibility, knowledge of the software installed in the state environment, and active exploitations, we are providing this in-depth information:

History: On January 16, 2024, Atlassian released a security advisory in regards to their Confluence Data Center and Confluence Server products.  CVE-2023-22527 is a Remote Code Execution vulnerability and is currently assigned a CVSSv3 rating of 9.8 (Critical) by NIST, while Atlassian themselves rate the CVE as a 10.0 (Critical).  The CVE was established on January 16, 2024.  On January 24, 2024 CISA added the vulnerability to their list of Known Exploited Vulnerabilities.

The following products are affected:

  *   Atlassian Confluence Data Center 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3
  *   Atlassian Confluence Server 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3

Patches are available from Atlassian to fix the vulnerabilities.  The fixed versions are:

  *   Atlassian Confluence Data Center 8.5.4 or higher
  *   Atlassian Confluence Server 8.5.4 or higher


Further information is available from Atlassian as published in their Security Advisory and FAQ:

  *   CVE-2023-22527 RCE Vulnerability in Confluence Data Center and Server - https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html
  *   FAQ for CVE-2023-22527 - https://confluence.atlassian.com/kb/faq-for-cve-2023-22527-1332810917.html


Intelligence: As of January 24, 2024, CISA is aware that CVE-2023-22527 has been exploited in the wild.  As of January 23, 2024 ShadowServer reported that there were over 11,000 instances publicly exposed and that adversaries have been actively scanning for vulnerable instances.  It is very likely that the exploit will continue to be leveraged by threat actors over the coming months.

Workarounds:  There are no workarounds at this time.

How it works:  The vulnerability is based on an Object-Graph Navigation Language (OGNL) attack against improperly validated and sanitized user input.  An unauthenticated attacker can execute arbitrary commands remotely in a vulnerable Confluence instance's templates.

Post-Exploit: Upon successful exploitation of the vulnerability an unauthenticated attacker can execute arbitrary commands in the context of the application.

Atlassian has not provided specific IOCs at this time, citing that the possibility of multiple entry points along with chained attacks make it difficult to provide indicators.

As of DATE, the following vulnerability plugins have been released and are currently in Tenable Security Center:
Plugin
Title
Severity
114150<https://www.tenable.com/plugins/was/114150>
Atlassian Confluence 8.x < 8.5.4 Remote Code Execution
Critical
188068<https://www.tenable.com/plugins/nessus/188068>
Atlassian Confluence < 8.5.4 RCE (CONFSERVER-93833)
Critical

Recommended Actions:


  *   Review logs for indicators of compromise.
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services


[cid:image001.png at 01D9F1DD.F2FA0BC0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240124/dc2e688e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240124/dc2e688e/attachment-0001.png>

More information about the CDP-development mailing list