Atlassian Confluence Data Center and Server has been hit with a critical remote code execution bug, allowing authenticated threat actors to exploit account privileges and execute arbitrary codes.
The vulnerability, tracked as CVE-2024-21683, is assigned a CVSS score of 8.3/10, and requires no user interaction with a high impact on confidentiality, integrity, and availability of the configuration service.
“This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server,” Atlassian said in an advisory. “Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version.”
The vulnerability has been fixed by the company in the latest versions of the software.
Input validation flaw
The vulnerability stems from the the input validation mechanism in the ‘Add a new language’ function of the ‘Configure Code Macro’ section, according to a SonicWall research.
“This function allows users to upload a new code block macro language definition to customize the formatting and syntax highlighting,” said the SonicWall threat research team in a report. “It expects the Javascript file to be formatted according to the custom brush syntax.”
Insufficient validation allows the authenticated attacker to inject malicious Java code embedded in a file, which will be executed on the server, the team added.
So, for the threat actor to be able to exploit the flaw, they must have access to the vulnerable network, the privilege to add new macro languages and upload the forged JavaScript language to Configure Code Micro.
A Proof of Concept (PoC) exploitation of the vulnerability is also referenced in the SonicWall research.
Fix includes updating to the latest version
The vulnerability affects versions 5.2, 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0 of Confluence Data Center as well as Atlassian Server. Fixes for the flawed software are included in the versions 8.9.1, 8.5.9, and 7.19.22, patching all the affected versions.
“Atlassian recommends that Confluence Server customers upgrade to the latest version,” said Atlassian in the advisory. “If you are unable to do so, upgrade your instance to one of the specified supported fixed versions.”
Additionally, SonicWall has provided two Intrusion Prevention Signatures (IPS) signatures for customers to prepare against exploitation.
“Considering Confluence Server’s pivotal role in maintaining an organization’s knowledge base, users are strongly encouraged to upgrade their instances to the latest versions, as mentioned in the vendor advisory,” SonicWall added.