Summary:
A critical Remote Code Execution (RCE) vulnerability, identified as CVE-2023-22527, has been by Atlassian on, impacting outdated versions of Confluence Data Center and Confluence Server. This vulnerability involves Object-Graph Navigation Language (OGNL) injection, with a significant. The exploit allows an unauthenticated attacker to achieve RCE on affected systems, posing a serious threat to organizations utilizing vulnerable versions of Confluence. Atlassian's revelation has prompted active exploitation attempts, as observed with attackers targeting Confluence applications in several countries.[/subscribe_to_unlock_form]
Summary:
A critical Remote Code Execution (RCE) vulnerability, identified as CVE-2023-22527, has been by Atlassian on, impacting outdated versions of Confluence Data Center and Confluence Server. This vulnerability involves Object-Graph Navigation Language (OGNL) injection, with a significant. The exploit allows an unauthenticated attacker to achieve RCE on affected systems, posing a serious threat to organizations utilizing vulnerable versions of Confluence. Atlassian's revelation has prompted active exploitation attempts, as observed with attackers targeting Confluence applications in several countries.[emaillocker id="1283"]
The vulnerability in question, affecting Confluence Data Center and Confluence Server versions 8.0.x to 8.5.3, stems from a template injection flaw in the text-inline.vm velocity template. This flaw allows an attacker to pass a crafted label parameter to an OGNL-sink, enabling the execution of remote code. Security researchers successfully accessed the org.apache.struts2.views.jsp.ui.OgnlTool class and executed the Ognl.findValue(String, Object) method, bypassing the restrictions imposed by Struts’ sandbox environment. Notably, there is a 200-character limit on OGNL expressions, but the researchers discovered a method to overcome this limitation by referencing an additional parameter in the HTTP request, thereby executing system commands.
The increasing trend of Threat Actors (TAs) exploiting vulnerable Internet-exposed assets underscores the crucial need for organizations to comprehend and consistently secure their attack surfaces. In the case of the Confluence vulnerability, unauthenticated attackers can exploit a template injection flaw, enabling arbitrary code execution on compromised systems. To mitigate the risk, users are strongly advised to follow recommended measures, including promptly applying patches, updating Confluence installations, conducting regular security audits, implementing network segmentation, and establishing an effective patch management process. Vigilance and proactive measures are paramount in safeguarding against the evolving landscape of cybersecurity threats.
Recommendations:
Threat Profile:
References:
The following reports contain further technical details:
https://cyble.com/blog/exploitation-of-atlassian-confluence-rce-vulnerability-cve-2023-22527/
[/emaillocker]