Fresh proof-of-concept (PoC) exploits for the CVE-2023-22527 remote code execution (RCE) vulnerability in Atlassian Confluence Data Center and Confluence Server are actively being exploited in the wild [2].

Description

Attackers are leveraging in-memory payloads [2], such as freemarker.template.utility.Execute [1], to execute arbitrary code within Confluence’s memory [2], enabling them to stealthily control compromised servers [2]. The Godzilla Web shell is commonly used in these attacks [2], allowing attackers to remotely control servers [2], execute commands [1] [2], and manipulate databases [2]. Additionally, a reverse shell exploit has been developed to bypass the OGNL expression limit and load a webshell into memory, intercepting HTTP requests and executing commands [1]. While Nashorn was initially used to stay in memory [1], the exploitation with Nashorn is becoming less relevant with Confluence bundling Java 17. Organizations that have not patched Confluence are at high risk of compromise, as attackers are actively exploiting this vulnerability [2]. The in-memory approach is not exclusive to Confluence and can be utilized against other products with similar vulnerabilities [2]. To mitigate these advanced threats [2], organizations are advised to implement network-based detection and scan Java memory for malicious Web shells [2].

Conclusion

Organizations that have not patched Confluence are at high risk of compromise, as attackers are actively exploiting this vulnerability [2]. It is crucial for organizations to implement network-based detection and scan Java memory for malicious Web shells to mitigate these advanced threats [2]. The exploitation of vulnerabilities in software products highlights the importance of timely patching and proactive security measures to protect against cyber threats.

References

[1] https://vulncheck.com/blog/confluence-dreams-of-shells
[2] https://www.darkreading.com/application-security/stealth-bomber-atlassian-confluence-exploits-drop-web-shells-in-memory