Atlassian has issued a warning regarding a critical vulnerability, known as CVE-202322527 [1] [2], in Confluence Data Center and Confluence Server [2] [3] [4] [7] [8] [9]. This vulnerability allows remote attackers to execute remote code on affected versions of Confluence.

Description

The vulnerability, classified as a template injection vulnerability [2] [4] [7] [9], affects versions 8.0x to 8.53 of Confluence [3], as well as versions released before December 5, 2023 [8], and version 8.45 [3] [8]. Atlassian has released a security update to address this issue and urges customers to promptly patch to the latest version.

It is important to note that cybercriminals actively seek out Atlassian Confluence bugs due to the platform’s widespread use in network environments. While the existence of active exploitation of this vulnerability is uncertain, even instances of Confluence that are not accessible from the internet are still at risk. Therefore, upgrading to the latest available version is strongly recommended [7]. Instances that are not connected to the internet or do not allow anonymous access are still vulnerable [6], albeit at a reduced risk [6].

If a Confluence site is accessed via an atlassiannet domain [5], it is hosted by Atlassian and not vulnerable [5]. For further information [5], support requests can be raised [5].

If immediate updates cannot be applied, it is advised to take affected systems offline [6], back up the data [6], and monitor for any malicious activity [6]. Atlassian has released versions 854 (LTS), 860 (Data Center only) [9], and 871 (Data Center only) to address the vulnerability [9]. The security bulletin states that there are currently no known workarounds or mitigations for this vulnerability [9].

Conclusion

The critical vulnerability in Confluence Data Center and Confluence Server poses a significant risk to organizations using these versions. Promptly patching to the latest version is crucial to mitigate the potential for remote code execution. It is important to note that even instances not connected to the internet or those that do not allow anonymous access are still vulnerable, albeit at a reduced risk [6]. Cybercriminals actively target Atlassian Confluence bugs, making it imperative for organizations to stay vigilant and take necessary precautions.

References

[1] https://digital.nhs.uk/cyber-alerts/2024/cc-4437
[2] https://www.darkreading.com/application-security/patch-max-critical-atlassian-bug-unauthenticated-rce
[3] https://securityonline.info/cve-2023-22527-cvss-10-critical-rce-flaw-in-confluence-data-center-and-server/
[4] https://www.helpnetsecurity.com/2024/01/16/cve-2023-22527/
[5] https://community.atlassian.com/t5/Trust-Security-articles/Action-Required-Confluence-Data-Center-and-Server-security/ba-p/2579870
[6] https://vulnera.com/newswire/critical-rce-vulnerability-found-in-older-atlassian-confluence-versions/
[7] https://cyber.vumetric.com/security-news/2024/01/16/atlassian-reveals-critical-confluence-rce-flaw-urges-immediate-action-cve-2023-22527/
[8] https://infosecbulletin.com/atlassian-released-advisory-for-cve-2023-22527/
[9] https://securityaffairs.com/157591/security/atlassian-rce-flaw-older-confluence-versions.html