Unauthenticated OGNL injection in Confluence Server and Data Center (CVE-2023-22527)
Description
CVE-2023-22527 is a critical unauthenticated remote code execution vulnerability affecting Atlassian Confluence Data Center and Server. This vulnerability stems from an OGNL (Object-Graph Navigation Language) injection flaw that allows attackers to execute arbitrary code without requiring authentication. Atlassian has confirmed active exploitation of this vulnerability in the wild, making immediate remediation essential for all affected installations.
The vulnerability exists in the template injection mechanism and can be exploited by sending specially crafted HTTP requests to vulnerable Confluence instances.
Remediation
Take the following actions immediately to remediate this vulnerability:
1. Upgrade Confluence immediately to a fixed version as specified in Atlassian's security advisory (CVE-2023-22527). Prioritize this update as a critical security patch.
2. Identify affected instances by checking your Confluence version against the list of vulnerable versions provided by Atlassian.
3. If immediate patching is not possible, consider temporarily taking Confluence instances offline or restricting network access to trusted IP addresses only until patching can be completed.
4. Review logs and monitor for indicators of compromise, including unusual HTTP requests, unexpected process execution, or unauthorized access attempts that may have occurred before patching.
5. Verify the integrity of your Confluence installation after patching to ensure no malicious modifications were made during any potential exploitation window.
Consult Atlassian's official security advisory for the complete list of affected and fixed versions.