Atlassian’s Confluence Server Unauthenticated Remote Code Execution



The SonicWall Capture Labs threat research team became aware of a noteworthy vulnerability—an Unauthenticated Template Injection —in Atlassian Confluence platforms, assessed its impact and developed mitigation measures for it. Atlassian’s Confluence Server and Data Center published an advisory on this vulnerability affecting multiple Confluence releases. Confluence is a web-based corporate wiki software. Atlassian wrote Confluence in the Java programming language and it is utilized for collaboration, project management, process and quality management, and knowledge management.

This vulnerability is identified as CVE-2023-22527 and was assigned a critical CVSS score of 10.0.  Considering the sizeable user base, low attack complexity and publicly available exploit code(s) including a Metasploit module, Confluence users are strongly encouraged to upgrade their instances to the latest versions with utmost priority. According to ShadowServer, around 11,000 Atlassian Confluence instances are publicly exposed, and adversaries are scanning for vulnerable instances.

As per the advisory, the affected Confluence Data Center and Server versions are 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3.

Technical Overview

This vulnerability allows threat actors to circumvent the authentication mechanism by sending a crafted request to the web server.

The primary condition that led to exploiting the vulnerability in Atlassian’s Confluence Server and Data Center is improper user input handling. As a result, attackers can leverage the injection of malicious templates without any authentication, leading to remote code execution. As Confluence is written in Java, OGNL expressions are associated with code. A specially crafted exploit that can inject an arbitrary OGNL object can execute Java code. When the application fails to validate and sanitize user input before using it in OGNL expressions, it may lead to an OGNL injection vulnerability. In OGNL injection attacks, nefarious actors input specially crafted strings containing OGNL expressions into user interfaces or input fields. When the application processes this input without proper validation, the injected OGNL expressions get executed within the application’s context. This can lead to various security issues, including authentication bypass, unauthorized access to sensitive data and remote code execution.

Triggering the Vulnerability

Within the Confluence server, it was observed that actual “views” are rendered using Velocity template files. To trigger the vulnerability, an attacker sends a POST request to “/template/aui/text-inline.vm”, demonstrating that including a .vm file helps get a hands-on unauthenticated attack surface to the Confluence instance. In this scenario, findValue is an OGNL expression that accepts a crafted string in $parameters that are not sanitized properly. As seen in Figure 2, using the OGNL expression #request[‘.KEY_velocity.struts2.context’].internalGet(‘ognl’) will grant access to the class  org.apache.struts2.views.jsp.ui.OgnlTool and calls the method Ognl.findValue(String, Object) method. Furthermore, in a comparison between the unpatched Confluence instance and the patched one, there is a .vm file named text-inline.vm. Figure 1 shows the text-inline.vm file code – the one that is deprecated in patched versions of Confluence.

Figure 1: text-inline.vm

Attackers can leverage this vm file to create a payload utilizing #parameters which pass arguments to the exec method, bypassing authentication and executing system commands.

Figure 2: CVE-2023-22527 OGNL payload

A crafted POST request sent to unpatched Confluence servers leads to OGNL template injection, which results in arbitrary command execution. By changing the payload parameter value, one can execute different commands remotely.

The attack request has the command id injected in the exec() function, as shown in Figure 3. Once this crafted request is sent, the response from the server includes the user id(uid), group id (gid), and groups from the Confluence server.

Figure 3: CVE-2023-22527 attack request

Exploiting the Vulnerability

The working PoC is an exploit tool for Confluence servers vulnerable to CVE-2023-22527. It leads to RCE in vulnerable instances of Confluence data centers and servers. Using this, an attacker can execute arbitrary code on a vulnerable instance.

Figure 4: CVE-2023-22527 PoC

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 2366 – Atlassian Confluence Data Center and Server SSTI
  • IPS: 4249 – Atlassian Confluence Data Center and Server SSTI 2

Remediation Recommendations

Considering the severe consequences of this vulnerability and the trending of unauthenticated nefarious activists trying to get Confluence Data Center & Confluence Server access using the exploit in the wild, users are strongly encouraged to upgrade their instances as published in the vendor advisory.

Relevant Links

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.