Critical RCE Vulnerability Found in Older Atlassian Confluence Versions

January 16, 2024

Atlassian has alerted users to a critical remote code execution (RCE) vulnerability affecting older versions of Confluence Data Center and Confluence Server, including out-of-support releases. The vulnerability, labeled as CVE-2023-22527, is severe (with a CVSS v3 score of 10.0) and allows unauthenticated attackers to perform remote code execution on affected Confluence endpoints.

Atlassian's security bulletin clarifies that the most recent supported versions of Confluence Data Center and Server are not susceptible to this vulnerability, due to mitigation during regular updates. However, the company advises users to install the latest version to safeguard their instances from non-critical vulnerabilities outlined in their January Security Bulletin.

The RCE vulnerability affects Confluence Data Center and Server versions from 8.0.x to 8.5.3. Atlassian has addressed the flaw in versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only), which were released in December. It's uncertain whether the bug was deliberately fixed last month or if it was inadvertently rectified during regular software updates.

Administrators who have updated to a more recent release are safe from CVE-2023-22527 exploitation. Atlassian emphasizes that versions 8.4.5 and all prior release branches that are no longer supported will not receive a security update under its security bug fix policy. Users of these versions are urged to switch to an actively supported release as soon as possible.

Atlassian has not provided any mitigation or workarounds for this security issue, so applying the available updates is the recommended course of action. A FAQ page set up by Atlassian for the flaw explains that it does not affect Confluence LTS v7.19.x, Cloud Instances hosted by the vendor, or any other Atlassian product. However, even instances not connected to the internet and those that do not permit anonymous access are still vulnerable, albeit at a reduced risk.

For those unable to apply the updates immediately, the recommendation is to take affected systems offline, back up the data to a location outside the Confluence instance, and monitor for malicious activity. Atlassian Confluence bugs are frequently exploited by attackers, including state-sponsored threat groups and opportunistic ransomware groups. In the case of CVE-2023-22527, Atlassian cannot provide any significant indicators of compromise (IoCs) to assist in detecting exploitation due to the multiple possible entry points and the ability to use the flaw in chained attacks.

Latest News

• Ivanti's Connect Secure VPN and Policy Secure NAC Appliances Face Mass Exploitation
• Over 178,000 SonicWall Firewalls Exposed to Potential Hacks Due to Unpatched Vulnerabilities
• Phemedrone Malware Campaign Exploits Windows SmartScreen Bypass Vulnerability
• Over 7,100 WordPress Sites Compromised by Balada Injector Malware Exploiting Plugin Vulnerability
• Denmark's Energy Sector Cyber Attacks Not Executed by Russia-Linked APT, Reveals Forescout