Atlassian Confluence Data Middle and Confluence Server are weak to a essential distant code execution (RCE) vulnerability that impacts variations launched earlier than December 5, 2023, together with out-of-support releases.
The flaw is tracked as CVE-2023-22527, rated essential (CVSS v3: 10.0), and is a template injection vulnerability permitting unauthenticated attackers to carry out distant code execution on impacted Confluence endpoints.
“Most up-to-date supported variations of Confluence Data Middle and Server aren’t affected by this vulnerability because it was in the end mitigated throughout common updates,” reads Atlassian’s security bulletin.
“Nonetheless, Atlassian recommends that prospects take care to put in the most recent model to guard their cases from non-critical vulnerabilities outlined in Atlassian’s January Safety Bulletin.”
The RCE bug impacts Confluence Data Middle and Server variations 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and eight.5.0 by 8.5.3.
Atlassian fastened the flaw in Confluence Data Middle and Server variations 8.5.4 (LTS), 8.6.0 (Data Middle solely), and 8.7.1 (Data Middle solely), which have been launched in December. Nonetheless, it’s unclear in the event that they quietly fastened the bug final month or if it was inadvertently fastened throughout their common software program improvement.
These variations have been launched earlier and are not the most recent anymore, so admins who’ve moved to a newer launch are secure from CVE-2023-22527 exploitation.
Atlassian notes that 8.4.5 and all earlier launch branches which have already fallen out of assist is not going to obtain a security replace beneath its security bug repair coverage.
Customers of these variations are really helpful to maneuver to an actively supported launch as quickly as potential.
Atlassian has supplied no mitigation or workarounds for the highlighted security downside, so making use of the out there updates is the really helpful pathway.
A FAQ web page Atlassian arrange for the flaw explains that CVE-2023-22527 doesn’t influence Confluence LTS v7.19.x, Cloud Cases hosted by the seller, or some other Atlassian product.
Nonetheless, it’s famous that cases not linked to the web and people that don’t enable nameless entry are nonetheless exploitable, even when the danger is decreased.
For these unable to use the out there updates instantly, it’s endorsed to take impacted methods offline, again up the info to a location exterior the Confluence occasion, and monitor for malicious exercise.
Atlassian Confluence bugs are sometimes leveraged by attackers within the wild, together with state-sponsored menace teams and opportunistic ransomware teams.
Within the case of CVE-2023-22527, Atlassian can’t share any significant indicators of compromise (IoCs) to assist detect exploitation.
The a number of potential entry factors and talent to make use of the flaw in chained assaults broaden its scope an excessive amount of to have the ability to pinpoint definitive exploitation indicators.
