BIPI
BIPI

Confluence CVE-2023-22527: Template Injection and the Mass Exploit Wave

Cybersecurity

Unauthenticated OGNL injection in Confluence triggered a mass exploitation wave, with cryptomining and ransomware payloads deployed within hours of public disclosure.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 10, 2024 · 9 min read

#cve-2023-22527#confluence#atlassian#ognl-injection#template-injection

CVE-2023-22527 is a critical server-side template injection vulnerability in Atlassian Confluence Data Center and Server. The CVSS 3.1 base score is 10.0. The flaw allows an unauthenticated attacker to inject OGNL (Object-Graph Navigation Language) expressions into Confluence's template rendering engine and achieve remote code execution with the privileges of the Confluence application process. Atlassian disclosed the vulnerability in January 2024, and mass exploitation began within days.

OGNL Injection: The Attack Mechanism

Confluence uses the OGNL expression language as part of its template system. The vulnerable endpoint processes user-supplied input as an OGNL expression without proper sanitization. An attacker submits an HTTP POST to a specific Confluence velocity template endpoint with a crafted OGNL payload in the request body. Confluence evaluates the expression, which invokes Java Runtime methods to execute arbitrary OS commands. Because the endpoint does not require authentication, no session token or credentials are needed.

undefined
undefined
undefined
undefined
undefined
undefined
undefined
undefined

Affected Versions

  • Confluence Data Center and Server 8.0.x through 8.0.4
  • Confluence Data Center and Server 8.1.x through 8.1.4
  • Confluence Data Center and Server 8.2.x through 8.2.3
  • Confluence Data Center and Server 8.3.x through 8.3.4
  • Confluence Data Center and Server 8.4.x through 8.4.4
  • Confluence Data Center and Server 8.5.x through 8.5.3 (LTS)
  • Versions 7.x and below are NOT affected
  • Atlassian Cloud instances are NOT affected

The Mass Exploitation Wave

Shadowserver and GreyNoise reported tens of thousands of unique source IPs scanning for and attempting to exploit CVE-2023-22527 within the first week after disclosure. Threat actors did not need sophisticated tooling: the exploit is a single HTTP POST request with a carefully structured OGNL payload. Multiple automated botnets incorporated the exploit into their scanning routines simultaneously, creating a competitive environment where multiple actors raced to compromise the same vulnerable instances.

When a vulnerability with a 10.0 CVSS score requires only a single unauthenticated HTTP request to exploit, the time from disclosure to mass exploitation is measured in hours, not weeks. Patch velocity matters more than detection in this scenario.

Observed Payloads and Post-Exploitation

  • XMRig cryptominer: Most common initial payload, deployed by multiple financially motivated groups
  • C3RB3R ransomware: Targeted high-value instances for encryption and extortion
  • Mirai botnet variants: Enrolled compromised instances in DDoS infrastructure
  • Custom web shells: Deployed by state-nexus actors for persistent access
  • Credential harvesting: Extraction of Confluence user databases and application-linked credentials

Detection: Indicators to Hunt

Examine Confluence access logs for POST requests to paths matching /template/aui/text-inline.vm or similar velocity template paths containing OGNL expression syntax (percent-sign/hash character combinations). Process monitoring should flag unexpected child processes spawned from the Confluence JVM process, particularly curl, wget, sh, or bash executions initiated by the confluence user account.

Remediation

  1. Patch to 8.5.4 (LTS), 8.6.0, or later immediately
  2. If patching is delayed, block external access to the Confluence instance entirely
  3. Audit Confluence for unexpected user accounts and administrative changes
  4. Search web-accessible directories for newly created files with .jsp or .jspx extensions
  5. Review network connections from the Confluence host for unexpected outbound destinations
  6. Reset all Confluence user passwords and application-linked service account credentials

Structural Controls for Collaboration Platforms

  • Confluence should not be directly internet-facing without a WAF in front of it
  • Subscribe to Atlassian security advisories and establish a sub-24-hour patching SLA for critical severity
  • Run Confluence under a dedicated low-privilege OS account with restricted outbound network access
  • Enable Confluence audit logging and forward to SIEM with alerting on admin actions

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.