A critical Atlassian Confluence template injection vulnerability has been identified. It affects all outdated versions of Confluence Data Center and Server, allowing unauthenticated attackers to achieve remote code execution (RCE). Read this Cybersecurity Threat Advisory in detail to learn about the vulnerability and what you can do to stay secure.
What is the threat?
The vulnerability, CVE-2023-22527, characterized by template injection, impacts Confluence Data Center and Server versions 8.0.x to 8.5.3. This vulnerability poses a severe risk. A successful exploitation can lead to unauthorized code execution on affected instances. Immediate action is necessary to mitigate the risk.
Why is it noteworthy?
This vulnerability is noteworthy due to its critical severity, with a CVSS score of 10.0, affecting Atlassian Confluence servers. The exploitation attempts have been actively observed in the wild, with over 39,000 recorded attempts from more than 600 unique IP addresses. The attackers are testing callbacks and executing ‘whoami’ commands, indicating potential follow-on exploitation.
What is the exposure or risk?
The vulnerability exposes Confluence Data Center and Server instances to unauthorized code execution. Over 11,000 Atlassian Confluence instances are accessible over the public internet, making them potential targets for exploitation. State-sponsored threat actors and ransomware groups often exploit Confluence vulnerabilities.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of the Confluence Vulnerability:
- Users are strongly advised to update their Confluence Data Center and Server to versions 8.5.4 (LTS), 8.6.0 (Data Center only), or 8.7.1 (Data Center only), and later.
- Administrators should monitor for signs of exploitation, as specific indicators of compromise are not provided. Treat outdated instances as potentially compromised and perform thorough cleanup.
References
For more in-depth information about the recommendations, please visit the following links:
- https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-22527
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-289a
- https://thehackernews.com/2024/01/40000-attacks-in-3-days-critical.html
- https://www.bleepingcomputer.com/news/security/hackers-start-exploiting-critical-atlassian-confluence-rce-flaw/
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.