Atlassian Confluence Server RCE attacks underway from 600+ IPs
If you're still running a vulnerable instance then 'assume a breach'
More than 600 IP addresses are launching thousands of exploit attempts against CVE-2023-22527 – a critical bug in out–of-date versions of Atlassian Confluence Data Center and Server – according to non-profit security org Shadowserver.
Atlassian disclosed the flaw, a template injection flaw that can allow unauthenticated remote code execution (RCE) attacks, last week. The CVE scored a CVSS rating of 10 out of 10, and it affects Confluence Data Center and Server 8 versions released before December 5, 2023 and versions up to 8.4.5.
At the time, the software vendor urged customers to update "immediately" to the latest available version to plug the hole. It appears, however, that not everyone followed this advice.
As of Sunday more than 11,000 instances remain exposed on the internet, and criminals are pounding them with RCE attempts.
In an Xeet on Monday, Shadowserver reported seeing more than 39,000 such attempts since January 19. "Over 600 IPs seen attacking so far (testing callback attempts and 'whoami' execution)," the security org revealed, alongside a screenshot showing the security events, IPs and unique ports.
- Patch now: Critical VMware, Atlassian flaws found
- Atlassian cranks up the threat meter to max for Confluence authorization flaw
- Ivanti and Juniper Networks accused of bending the rules with CVE assignments
- Russians invade Microsoft exec mail while China jabs at VMware vCenter Server
Atlassian hasn't updated its CVE-2023-22527 security advisory to indicate any instances of Confluence Server being under active exploitation. A company spokesperson did not answer The Register's questions about attempted or successful RCE attacks, and instead emailed the following statement:
The issue has already been corrected in a previous release of Confluence Server and Data Center. We continue to strongly recommend that all customers upgrade to the latest patched versions as per our Critical Security Advisory.
Ken Dunham, threat director at cloud security company Qualys's Threat Research Unit, warned that organizations with any external-facing vulnerable Atlassian instances should "assume a breach," essentially "treating it as compromised until proven otherwise," and take precautions. These include patching (in this case by updating to a newer, supported version), plus threat hunting, reviewing logs, monitoring, and auditing the potentially affected systems.
"Attacks like this are easily automated and likely rapidly weaponized to take advantage of vulnerable instances before remediation occurs," Dunham told The Register.
This latest perfect-10-rated CVE follows a string of critical flaws that have plagued the Australian software developer over recent months. These include four critical bugs, rated 9.0 or higher, that Atlassian alerted customers about last month, via email. However, the warning proved ineffective because the email's links weren't live when the message was originally sent.
Then in October, there was an improper authorization vulnerability in Confluence Data Center and Server that initially earned a CVSS score of 9.1 before being upgraded to a 10 after miscreants began exploiting that vulnerability.
Atlassian security may soon become even more challenged: on February 15th the Aussie software company ends support for its Server products, with vastly more expensive Datacenter products or a cloud migration the alternatives. An Atlassian partner recently told The Register that forty percent of its clientele intends to continue using the unsupported products despite Atlassian insisting it won’t provide patches.
An Atlassian spokesperson, responding to this published piece added, "This vulnerability is ripe for opportunistic threat actors, and our focus remains on supporting our customers to take timely action to protect their data. Atlassian can't confirm if a customer instance has been affected by this vulnerability. Customers should engage their local security team to check all affected Confluence instances for evidence of compromise." ®