Atlassian Confluence Servers Attacked From 600+ IP’s

Atlassian disclosed a critical vulnerability last week related to Remote Code Execution (CVE-2023-22527). This particular vulnerability was reported to be affecting Confluence Data Center and Server versions released earlier than December 5, 2023.

Moreover, Atlassian also stated that the vulnerability was patched in the latest Confluence data center and server 8.5.4 (LTS) and 8.6.0 & 8.7.1 (Data Centers only). Moreover, version 8.5.4 also specified that it does not receive backported fixes due to the Security Bug fix policy.

CVE-2023-22527 allows an unauthenticated threat actor to execute remote commands on the affected installations. Moreover, this was a template injection vulnerability currently being exploited by threat actors.

Document
Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

600 Unique IPs

According to the reports shared with Cyber Security News, more than 600 IPs were observed attacking Atlassian Confluence with this vulnerability. Most of the attempts were attempts to do a callback with the “whoami” command execution.

As for the originating IPs, most of them were traced back to Russia. Other commands used in the exploitation attempts were “id” and “cat /etc/shadow.” Atlassian urges all the users of Confluence servers to upgrade to the latest versions as soon as possible.

Nevertheless, Atlassian mentioned that there are no workarounds for mitigating this vulnerability. GreyNoise also stated that they were seeing high attempts of exploitation from different IPs and asked them to update the vulnerable versions as soon as possible.

Exploitation attempts (Source: GreyNoise)
Exploitation attempts (Source: GreyNoise)

The security bug fix policy that affected version 8.5.4 from receiving backported support states that “…critical security bug fixes will be backported. We will release new maintenance releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released.

Affected Products and Fixed in Version

ProductFixed VersionsLatest Versions
Confluence Data Center and Server8.5.4 (LTS)
8.5.5 (LTS)
Confluence Data Center8.6.0 (Data Center Only)8.7.1 (Data Center Only)8.7.2 (Data Center Only)

Atlassian has released a report that provides additional information about the vulnerability. It is recommended that all the users upgrade to the latest version to prevent exploitation.

Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. Free demo available.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.