Confluence Data Center and Server Remote Code Execution Vulnerability

Overview

The SonicWall Capture Labs threat research team became aware of a remote code execution vulnerability in the Atlassian Confluence Data Center and Server, assessed its impact and developed mitigation measures. Confluence Server is a software to manage documentation and knowledge bases with an ubiquitous presence across the globe. Identified as CVE-2024-21683, Confluence Data Center and Server before version 8.9.1(data center only), 8.5.9 LTS and 7.19.22 LTS allows an authenticated threat actor with the privilege of adding new macro languages to execute arbitrary code, earning a high CVSS score of 8.3. Confluence users are encouraged to upgrade their instances to the latest fixed version, as mentioned by the vendor in the advisory.

Technical Overview

This vulnerability arises due to a flaw in the input validation mechanism in the ‘Add a new language’ function of the ‘Configure Code Macro’ section. This function allows users to upload a new code block macro language definition to customize the formatting and syntax highlighting. It expects the Javascript file to be formatted according to the custom brush syntax. Insufficient validation allows the authenticated attacker to inject malicious Java code embedded in a file, such as java.lang.Runtime.getRuntime().exec(”touch /tmp/poc”) , which will be executed on the server.

Triggering the Vulnerability

Leveraging the vulnerability mentioned above requires the attacker to meet the below prerequisites.

  1. The attacker must have network access to the target vulnerable system.
  2. The attacker must have the privilege to add new macro languages.
  3. The forged JavaScript language file containing malicious Java code needs to be uploaded to the Configure Code Macro > Add a new language

The following steps will walk through the process of exploitation and the measures taken to address the vulnerability in the updated version. We used Confluence versions 8.5.0 and 8.5.9 in our tests.

To begin with, the attacker uploads the language file containing malicious Java code (similar to the one mentioned above) on the page seen in Figure 1.

Figure 1: Add a new language page

The payload will be sent for evaluation to the ‘parseLanguage’ method of the ‘RhinoLanguageParser’ class, which can be found at the below location:

WEB-INF/atlassian-bundled-plugins/com.atlassian.confluence.ext.newcode-macro-plugin-5.0.1.jar!/com/atlassian/confluence/ext/code/languages/impl/RhinoLanguageParser.class

The ‘script’ variable will be formed and the ‘evaluateString’ method will process the payload, as illustrated in Figure 2.

Figure 2: Payload evaluation by RhinoLanguageParser

If we step-into the function, the ‘evaluateString’ method will further pass the control to the ‘doTopCall’ method of the ‘ScriptRuntime’ class as seen in Figure 3. So far, the behavior of both the vulnerable and fixed versions is identical.

Figure 3: Execution of the payload by ScriptRuntime class

The result of executing the ‘doTopCall’ method (shown in Figure 3) behaves differently in the vulnerable and fixed versions. The fixed version (8.5.9) throws a ‘RhinoException’ while executing ‘doTopCall’ jumps directly to line#92 and abruptly terminates the execution of the ‘evaluateString’ method of the ‘RhinoLanguageParser’ class, as seen in Figure 4. Thanks to enhanced checks, it prevents using Java references in the uploaded file and displays ‘java is not defined’ in an exception message.

Figure 4: Abruptly terminated execution in fixed version

On the other hand, the vulnerable version (8.5.0) allows the execution of the ‘doTopCall’ and hence enables the execution of the ‘evaluateString’ method of the ‘RhinoLanguageParser’ class. It also throws the ‘InvalidLanguageException’ later on, but only after executing the injected malicious Java code as seen in Figure 5.

Figure 5: Malicious code execution in a vulnerable version

Although both the vulnerable and fixed versions of the Confluence server display similar errors on the GUI, as seen in Figure 6, the damage has already been done in the vulnerable version.

Figure 6: Common error on GUI

Exploitation

The exploitation of this vulnerability yields the remote threat actor the ability to execute arbitrary code on the server. It has a high impact on the confidentiality, integrity and availability of the system and does not require user interaction.

To achieve the remote code execution, the forged JavaScript language file with crafted payload needs to be uploaded, which will form a request as seen in the top portion of Figure 7. This request will generate a file ‘/tmp/poc’ as mentioned in the payload, as seen in the bottom portion of Figure 7.

Figure 7: Malformed request(above) and RCE in vulnerable instance(below)

Additionally, the payload can be modified to yield a reverse shell as seen in Figure 8.

Figure 8: Achieving reverse shell

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 4437 Atlassian Confluence Data Center and Server RCE
  • IPS: 4438 Atlassian Confluence Data Center and Server RCE 2

Remediation Recommendations

Considering Confluence Server’s pivotal role in maintaining an organization’s knowledge base, users are strongly encouraged to upgrade their instances to the latest versions, as mentioned in the vendor advisory.

Relevant Links

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Source: Original Post