Security researchers have been observing multiple attempts to exploit the CVE-2023-22527 vulnerability, which affects outdated versions of Atlassian Confluence servers.
Atlassian disclosed the security issue last week, noting that it only affects Confluence versions released before December 5, 2023, along with some unsupported versions.
The vulnerability is classified as critical and is described as a template injection weakness that allows unauthenticated remote attackers to execute code on vulnerable Confluence Data Center and Confluence Server endpoints in versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 to 8.5.3.
A fix is available for Confluence Data Center and Server versions 8.5.4 (LTS), 8.6.0 (Data Center only), 8.7.1 (Data Center only), and later releases.
Threat monitoring service Shadowserver reports today that its systems have detected thousands of attempts to exploit CVE-2023-22527, originating from just over 600 unique IP addresses.
The service claims that attackers are attempting to invoke the “whoami” command to gather information about access levels and permissions on the system.
The total number of exploitation attempts registered by the Shadowserver Foundation is more than 39,000, with the majority of attacks coming from Russian IP addresses.
Shadowserver informs that its scanners are currently detecting 11,100 instances of Atlassian Confluence accessible on the public internet. However, not all of them necessarily run on a vulnerable version.
Attackers of various kinds, including state-sponsored threat groups and opportunistic ransomware gangs, often exploit vulnerabilities in the Atlassian Confluence platform, including CVE-2023-22527.
Regarding CVE-2023-22527, Atlassian previously stated that it is unable to provide specific indicators of compromise (IoCs) that would facilitate detection of exploitation instances.
Confluence server administrators should ensure that the endpoints they manage have been updated to at least the version released after December 5, 2023.
For organizations using outdated Confluence versions, it is recommended to treat them as potentially compromised, look for signs of exploitation, perform thorough cleaning, and upgrade to a secure version.
FAQ section based on key topics and information included in the article:
1. What is the CVE-2023-22527 vulnerability in Atlassian Confluence servers?
CVE-2023-22527 vulnerability is a template injection weakness in outdated versions of Atlassian Confluence servers. It allows unauthenticated remote attackers to execute code on vulnerable Confluence Data Center and Confluence Server endpoints in certain versions.
2. Which versions of Atlassian Confluence servers are affected by CVE-2023-22527 vulnerability?
Versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 to 8.5.3 of Atlassian Confluence servers are vulnerable to CVE-2023-22527.
3. Is there a fix available for the CVE-2023-22527 vulnerability?
Yes, a fix is available for Confluence Data Center and Server versions 8.5.4 (LTS), 8.6.0 (Data Center only), 8.7.1 (Data Center only), and later releases.
4. What are the symptoms of attempted exploitation of CVE-2023-22527 vulnerability?
Attackers attempt to invoke the “whoami” command to gather information about access levels and permissions on the system.
5. Where do attacks exploiting the CVE-2023-22527 vulnerability originate from?
The majority of attacks exploiting the CVE-2023-22527 vulnerability come from Russian IP addresses.
6. What should Confluence server administrators do regarding the CVE-2023-22527 vulnerability?
Confluence server administrators should ensure that the endpoints they manage have been updated to at least the version released after December 5, 2023.
7. What is recommended for organizations using outdated Confluence versions?
Organizations using outdated Confluence versions should treat them as potentially compromised, look for signs of exploitation, perform thorough cleaning, and upgrade to a secure version.
Key Terms and Jargon Definitions Used in the Article:
– CVE-2023-22527: Unique identifier for a vulnerability reported in the Common Vulnerabilities and Exposures (CVE) system, which relates to template injection weakness in outdated versions of Atlassian Confluence servers.
– Atlassian Confluence: Collaboration and documentation platform used by organizations to create, organize, and share content.
– Shadowserver: Threat monitoring service reporting attempts to exploit the CVE-2023-22527 vulnerability and other internet threats.
Suggested Related Links to the Main Domain (not subpages) in link address format:
– Atlassian
– Shadowserver
The source of the article is from the blog elblog.pl