Atlassian Confluence Data Center and Confluence Server are vulnerable to a critical remote code execution (RCE) vulnerability that impacts versions released before December 5, 2023, including out-of-support releases.
The flaw is tracked as CVE-2023-22527, rated critical (CVSS v3: 10.0), and is a template injection vulnerability allowing unauthenticated attackers to perform remote code execution on impacted Confluence endpoints.
“Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular updates,” reads Atlassian’s security bulletin.
“However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.”
The RCE bug impacts Confluence Data Center and Server versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3.
Atlassian fixed the flaw in Confluence Data Center and Server versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only), which were released in December. However, it is unclear if they quietly fixed the bug last month or if it was inadvertently fixed during their regular software development.
These versions were released earlier and aren’t the latest anymore, so admins who have moved to a more recent release are safe from CVE-2023-22527 exploitation.
Atlassian notes that 8.4.5 and all previous release branches that have already fallen out of support will not receive a security update under its security bug fix policy.
Users of those versions are recommended to move to an actively supported release as soon as possible.
Atlassian has provided no mitigation or workarounds for the highlighted security problem, so applying the available updates is the recommended pathway.
A FAQ page Atlassian set up for the flaw explains that CVE-2023-22527 does not impact Confluence LTS v7.19.x, Cloud Instances hosted by the vendor, or any other Atlassian product.
However, it is noted that instances not connected to the internet and those that do not allow anonymous access are still exploitable, even if the risk is reduced.
For those unable to apply the available updates immediately, it is recommended to take impacted systems offline, back up the data to a location outside the Confluence instance, and monitor for malicious activity.
Atlassian Confluence bugs are often leveraged by attackers in the wild, including state-sponsored threat groups and opportunistic ransomware groups.
In the case of CVE-2023-22527, Atlassian cannot share any meaningful indicators of compromise (IoCs) to help detect exploitation.
The multiple possible entry points and ability to use the flaw in chained attacks broaden its scope too much to be able to pinpoint definitive exploitation signs.