On January 16, 2024, Atlassian disclosed a remote code execution vulnerability affecting the Confluence Data Center and Confluence Server [1]. CVE-2023-22527 is an OGNL injection vulnerability with a CVSS score of 10 (Critical). Although the vulnerability is fixed with patches, the number of outdated and publicly exposed Atlassian Confluence instances is in the thousands, posing significant risks to organizations.
In this blog, we explained how the Atlassian Confluence CVE-2023-22527 exploit works and how organizations can defend against CVE-2023-22527 attacks.
Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform
Atlassian Confluence CVE-2023-22527 Vulnerability Explained
Atlassian Confluence is a collaboration and documentation platform designed to facilitate communication and information sharing within organizations. Confluence Server is a self-hosted version of the platform, allowing organizations to deploy it on their own servers or cloud infrastructure. Confluence Data Center, on the other hand, is an enterprise-grade solution designed for organizations with larger user bases or those with a need for high availability and reliability. On January 16, 2024, Atlassian disclosed an OGNL injection vulnerability affecting the Confluence Data Center and Confluence Server. Adversaries may exploit the CVE-2023-22527 vulnerability for unauthenticated remote code execution in vulnerable Confluence instances. The vulnerability has a CVSS score of 10 (Critical). The affected versions are listed below.
Affected Product |
Affected Versions |
Confluence Data Center and Server |
8.0.x 8.1.x 8.2.x 8.3.x 8.4.x 8.5.0-8.5.3 |
According to ShadowServer, there are over 11,000 Atlassian Confluence instances publicly exposed, and adversaries are actively scanning for vulnerable instances [2]. Organizations are advised to patch their Atlassian Confluence instances as soon as possible.
Previously, in September 2021 and June 2022, two separate OGNL injection vulnerabilities were found in Atlassian Confluence. For more detailed information, you can check our “Atlassian Confluence Zero-Day CVE-2022-26134 Vulnerability” and “Atlassian Confluence CVE-2021-26084 Vulnerability” blog posts.
What is an OGNL Injection Attack?
Object-Graph Navigation Language (OGNL) is a Java-based expression language commonly employed in frameworks and applications like Apache Struts and Atlassian Confluence. OGNL provides a concise syntax for expressing complex operations on Java objects, enabling developers to access and manipulate properties, invoke methods, and navigate object relationships in a concise and expressive manner.
When applications do not properly validate and sanitize user input before using it in OGNL expressions, it may lead to a security vulnerability called OGNL injection. In OGNL injection attacks, adversaries input specially crafted strings containing OGNL expressions into user interfaces or input fields. When the application processes this input without proper validation, the injected OGNL expressions get executed within the application’s context. This can lead to a range of security issues, including unauthorized access to sensitive data and remote code execution.
How Atlassian Confluence CVE-2023-22527 Exploit Works?
Atlassian Confluence CVE-2023-22527 vulnerability is an OGNL injection vulnerability that allows unauthenticated adversaries to execute arbitrary commands remotely in a vulnerable Confluence instance. The vulnerability stems from a Velocity template file named “text-inline.vm” [3]. This file allows adversaries to execute commands by using the expression “#request[‘.KEY_velocity.struts2.context’].internalGet(‘ognl’)”. An example payload delivered via an HTTP POST request is given below.
//Attacker-crafted POST request POST /template/aui/text-inline.vm HTTP/1.1 |
Atlassian Confluence CVE-2023-22527 Vulnerability Exploit Example
How Picus Helps Simulate Atlassian Confluence CVE-2023-22527 Attacks?
We also strongly suggest simulating the Atlassian Confluence CVE-2023-22527 Vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Citrix Bleed, Follina, and Log4Shell, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Atlassian Confluence CVE-2023-22527 vulnerability exploitation attacks:
Threat ID |
Threat Name |
Attack Module |
58423 |
Atlassian Confluence Web Attack Campaign |
Web Application |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Atlassian Confluence CVE-2023-22527 vulnerability and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Atlassian Confluence CVE-2023-22527 vulnerability:
Security Control |
Signature ID |
Signature Name |
Check Point NGFW |
asm_dynamic_prop_CVE_2023_22527 |
Atlassian Confluence Template Injection (CVE-2023-22527) |
Citrix |
999956 |
an error in value conversion in apache struts 2 before 2.2.3.1 could lead to ognl rce via http form field |
F5 BIG-IP |
200004274 |
FreeMarker Template Injection template.utility (Parameter) |
Forcepoint NGFW |
HTTP_CRL-Confluence-Template-Injection-CVE-2023-22527 |
|
Fortiweb |
060050053 |
Generic Attacks(Extended) |
Imperva SecureSphere |
Template Injection – 6 |
|
Modsecurity |
932100 |
Remote Command Execution: Unix Command Injection |
Palo Alto |
92195 |
FreeMarker Server Side Template Injection Vulnerability |
Snort |
1.1002.19 |
SERVER-IIS cmd.exe access |
Trend Micro TippingPoint |
43721 |
HTTP: Atlassian Confluence Data Center and Server Template Injection Vulnerability |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Complete Security Validation Platform.
References
[1] “CVE-2023-22527 – RCE (Remote Code Execution) Vulnerability In Confluence Data Center and Confluence Server.” Available: https://confluence.atlassian.com/. [Accessed: Jan. 23, 2024]
[2] “Website.” Available: https://twitter.com/Shadowserver/status/1749372138685915645
[3] R. Maini, “Atlassian Confluence – Remote Code Execution (CVE-2023-22527),” ProjectDiscovery Blog, Jan. 22, 2024. Available: https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/. [Accessed: Jan. 23, 2024]