Atlassian’s Confluence Server Unauthenticated Remote Code Execution
Overview
The SonicWall Capture Labs threat research team became aware of a noteworthy vulnerability—an Unauthenticated Template Injection —in Atlassian Confluence platforms, assessed its impact and developed mitigation measures for it. Atlassian’s Confluence Server and Data Center published an advisory on this vulnerability affecting multiple Confluence releases. Confluence is a web-based corporate wiki software. Atlassian wrote Confluence in the Java programming language and it is utilized for collaboration, project management, process and quality management, and knowledge management.
This vulnerability is identified as CVE-2023-22527 and was assigned a critical CVSS score of 10.0. Considering the sizeable user base, low attack complexity and publicly available exploit code(s) including a Metasploit module, Confluence users are strongly encouraged to upgrade their instances to the latest versions with utmost priority. According to ShadowServer, around 11,000 Atlassian Confluence instances are publicly exposed, and adversaries are scanning for vulnerable instances.
As per the advisory, the affected Confluence Data Center and Server versions are 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3.
Technical Overview
This vulnerability allows threat actors to circumvent the authentication mechanism by sending a crafted request to the web server.
The primary condition that led to exploiting the vulnerability in Atlassian’s Confluence Server and Data Center is improper user input handling. As a result, attackers can leverage the injection of malicious templates without any authentication, leading to remote code execution. As Confluence is written in Java, OGNL expressions are associated with code. A specially crafted exploit that can inject an arbitrary OGNL object can execute Java code. When the application fails to validate and sanitize user input before using it in OGNL expressions, it may lead to an OGNL injection vulnerability. In OGNL injection attacks, nefarious actors input specially crafted strings containing OGNL expressions into user interfaces or input fields. When the application processes this input without proper validation, the injected OGNL expressions get executed within the application’s context. This can lead to various security issues, including authentication bypass, unauthorized access to sensitive data and remote code execution.
Triggering the Vulnerability
Within the Confluence server, it was observed that actual “views” are rendered using Velocity template files. To trigger the vulnerability, an attacker sends a POST request to “/template/aui/text-inline.vm”, demonstrating that including a .vm file helps get a hands-on unauthenticated attack surface to the Confluence instance. In this scenario, findValue is an OGNL expression that accepts a crafted string in $parameters that are not sanitized properly. As seen in Figure 2, using the OGNL expression #request[‘.KEY_velocity.struts2.context’].internalGet(‘ognl’) will grant access to the class org.apache.struts2.views.jsp.ui.OgnlTool and calls the method Ognl.findValue(String, Object) method. Furthermore, in a comparison between the unpatched Confluence instance and the patched one, there is a .vm file named text-inline.vm. Figure 1 shows the text-inline.vm file code – the one that is deprecated in patched versions of Confluence.
Figure 1: text-inline.vm
Attackers can leverage this vm file to create a payload utilizing #parameters which pass arguments to the exec method, bypassing authentication and executing system commands.
Figure 2: CVE-2023-22527 OGNL payload
A crafted POST request sent to unpatched Confluence servers leads to OGNL template injection, which results in arbitrary command execution. By changing the payload parameter value, one can execute different commands remotely.
The attack request has the command id injected in the exec() function, as shown in Figure 3. Once this crafted request is sent, the response from the server includes the user id(uid), group id (gid), and groups from the Confluence server.
Figure 3: CVE-2023-22527 attack request
Exploiting the Vulnerability
The working PoC is an exploit tool for Confluence servers vulnerable to CVE-2023-22527. It leads to RCE in vulnerable instances of Confluence data centers and servers. Using this, an attacker can execute arbitrary code on a vulnerable instance.
Figure 4: CVE-2023-22527 PoC
SonicWall Protections
To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:
- IPS: 2366 – Atlassian Confluence Data Center and Server SSTI
- IPS: 4249 – Atlassian Confluence Data Center and Server SSTI 2
Remediation Recommendations
Considering the severe consequences of this vulnerability and the trending of unauthenticated nefarious activists trying to get Confluence Data Center & Confluence Server access using the exploit in the wild, users are strongly encouraged to upgrade their instances as published in the vendor advisory.
Relevant Links
- NVD
- GitHub PoC
- Packet storm
- Atlassian Confluence Advisory
- CONFSERVER-93833
- Nuclei template
- ProjectDiscovery blog
- SANS
