CISA: Multiple Vulnerabilities In Atlassian Confluence Are Being Actively Exploited

Six high severity vulnerabilities in Atlassian Confluence have been disclosed over the past few months making it imperative for its users to upgrade with urgency. Of these, the most severe, CVE-2023-22527 has been added to CISA’s KEV (Known Exploited Vulnerabilities). Collectively, the recently disclosed vulnerabilities range in severity from CVSS 7.5 (High) to 10 (Critical). Greenbone vulnerability manager is able to detect all vulnerabilities with active checks and version detection tests including the most critical, CVE-2023-22527.

CVE-2023-22527 can be exploited by an attacker to achieve unauthenticated remote code execution (RCE). Impacted products include Confluence Data Center and Server versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3 as well as 8.4.5 which no longer receives backported fixes according to Atlassian’s Security Bug Fix Policy. CVE-2023-22527 is tracked internally through Atlassian’s Jira portal as CONFSERVER-93833 and via a published advisory, and was reported as part of Atlassian’s Bug Bounty program by a contributor with the handle m1sn0w.

The remaining five vulnerabilities can be all exploited remotely without user-interaction, having impacts ranging from only Denial of Service (DoS) (CVE-2023-3635) to high impact to Confidentiality, Integrity, and Availability (CIA). The majority, including several high severity RCE vulnerabilities, were introduced in version 7.13.0 of Confluence Data Center and Server. Customers operating affected products on publicly exposed IP addresses are at increased risk of exploitation.

In total, Confluence has been the subject of 9 CISA KEV alerts for active exploitation. 3 of those have been in recent months; since October 2023:

• January 24th, 2024: CISA added CVE-2023-22527 to its KEV catalog
• November 7th, 2023: CISA added CVE-2023-22518 to its KEV catalog
• December 5th, 2023: CISA added CVE-2023-22515 to its KEV catalog

A recent report based on analysis of publicly available Shodan data from the vulnerability and exploit research group VulnCheck, estimated that more than 235,000 internet-facing Confluence honeypots exist on public-facing IP addresses, while the true number of real internet-facing Confluence servers is closer to 4,000.

Summary Of Vulnerabilities in Atlassian Confluence

Here is a brief summary of all recently disclosed vulnerabilities in Atlassian Confluence:

• CVE-2023-22527 (CVSS 10 Critical): A template injection vulnerability [CWE-284] on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Most recent supported versions of Confluence Data Center and Server are not affected. After initial disclosure, Atlassian raised the CVSS score of CVE-2023-22527 from 9.1 to the highest possible score of 10.
• CVE-2024-21673 (CVSS 8.8 High): Allows an authenticated attacker to expose restricted assets [CWE-284] remotely to cause high impact to system Confidentiality, Integrity, and Availability (CIA) without user interaction. The vulnerability was introduced in version 7.13.0 (released August 2021) of Confluence Data Center and Server.
• CVE-2023-22526 (CVSS 8.8 High): Allows an authenticated attacker to execute arbitrary code remotely to cause high impact to system Confidentiality, Integrity, and Availability (CIA) without user interaction.
• CVE-2024-21672 (CVSS 8.8 High): Allows an authenticated attacker to execute arbitrary code remotely to cause high impact to system Confidentiality, Integrity, and Availability (CIA) without use interaction. The vulnerability was introduced in version 2.1.0 (released December 2005) of Confluence Data Center and Server meaning it affects virtually all versions.
• CVE-2023-3635 (CVSS 7.5 High): A DoS vulnerability in the Okio client Java library component used in Confluence X. GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer potentially leading to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
• CVE-2024-21674 (CVSS 7.5 High): Allows an authenticated attacker to expose restricted assets [CWE-284] remotely to cause high impact to system Confidentiality without user interaction, but no impact to Integrity or Availability. The vulnerability was introduced in version 13.0 (released August 2021) of Confluence Data Center and Server.

Mitigation Of Vulnerabilities in Atlassian Confluence

There are no reported workarounds to protect against these vulnerabilities. The most severe, CVE-2023-22527, only impacts older versions of Confluence Data Center and Server. Atlassian’s general recommendation for all other CVEs listed above is to download and upgrade to the newest version of Confluence Data Center and Server. However, if users are unable to do so, Atlassian’s mitigation advice is different for each CVE.

Atlasian has also outlined version specific mitigations for CVE-2024-21673, CVE-2023-22526, CVE-2023-3635, and CVE-2024-21674. Customers who are unable to upgrade to the most recent version of Confluence Data Center and Server can upgrade to a minor version which has been patched.

• Customer’s using Confluence Data Center and Server 7.19: Upgrade to version 19.18, or any higher 7.19.x release
• Customer’s using Confluence Data Center and Server 8.5: Upgrade to version 5.5 or any higher 8.5.x release
• Customer’s using Confluence Data Center and Server 8.7: Upgrade to version 7.2 or any higher 8.7.x release

Summary

In January 2024, 1 critical severity vulnerability was disclosed impacting Atlassian Confluence Data Center and Server following in the footsteps of 5 more recently disclosed high impact CVEs. The most critical, CVE-2023-22527 is known to be exploited in the wild making it imperative for users of affected products to upgrade with urgency. Public facing instances of Confluence are most at risk with an estimated 4,000 instances as of February 2nd, 2024.