blog.sonicwall.com
Open in
urlscan Pro
107.154.76.50
Public Scan
URL:
https://blog.sonicwall.com/en-us/2024/05/confluence-data-center-and-server-remote-code-execution-vulnerability/
Submission: On May 31 via api from TR — Scanned from DE
Submission: On May 31 via api from TR — Scanned from DE
Form analysis
1 forms found in the DOMGET https://blog.sonicwall.com/en-us/
<form action="https://blog.sonicwall.com/en-us/" id="searchform" method="get" class="">
<div>
<input type="submit" value="" id="searchsubmit" class="button avia-font-entypo-fontello">
<input type="text" id="s" name="s" value="" placeholder="Search">
</div>
</form>
Text Content
* Home * Topics * All Posts * Boundless Cybersecurity * BYOD and Mobile Security * Cloud Security * Education * Email Security * Government * Healthcare * Industry News and Events * Network Security * Partners * Retail * Small & Medium Businesses * SonicWall Community * Threat intelligence * Wireless Security * Authors * English * Search * * * * * * * * * * Menu * Facebook * Twitter * Linkedin * Instagram * Mail * Rss CONFLUENCE DATA CENTER AND SERVER REMOTE CODE EXECUTION VULNERABILITY By Security News May 30, 2024 OVERVIEW The SonicWall Capture Labs threat research team became aware of a remote code execution vulnerability in the Atlassian Confluence Data Center and Server, assessed its impact and developed mitigation measures. Confluence Server is a software to manage documentation and knowledge bases with an ubiquitous presence across the globe. Identified as CVE-2024-21683, Confluence Data Center and Server before version 8.9.1(data center only), 8.5.9 LTS and 7.19.22 LTS allows an authenticated threat actor with the privilege of adding new macro languages to execute arbitrary code, earning a high CVSS score of 8.3. Confluence users are encouraged to upgrade their instances to the latest fixed version, as mentioned by the vendor in the advisory. TECHNICAL OVERVIEW This vulnerability arises due to a flaw in the input validation mechanism in the ‘Add a new language’ function of the ‘Configure Code Macro’ section. This function allows users to upload a new code block macro language definition to customize the formatting and syntax highlighting. It expects the Javascript file to be formatted according to the custom brush syntax. Insufficient validation allows the authenticated attacker to inject malicious Java code embedded in a file, such as java.lang.Runtime.getRuntime().exec(”touch /tmp/poc”) , which will be executed on the server. TRIGGERING THE VULNERABILITY Leveraging the vulnerability mentioned above requires the attacker to meet the below prerequisites. 1. The attacker must have network access to the target vulnerable system. 2. The attacker must have the privilege to add new macro languages. 3. The forged JavaScript language file containing malicious Java code needs to be uploaded to the Configure Code Macro > Add a new language The following steps will walk through the process of exploitation and the measures taken to address the vulnerability in the updated version. We used Confluence versions 8.5.0 and 8.5.9 in our tests. To begin with, the attacker uploads the language file containing malicious Java code (similar to the one mentioned above) on the page seen in Figure 1. Figure 1: Add a new language page The payload will be sent for evaluation to the ‘parseLanguage’ method of the ‘RhinoLanguageParser’ class, which can be found at the below location: WEB-INF/atlassian-bundled-plugins/com.atlassian.confluence.ext.newcode-macro-plugin-5.0.1.jar!/com/atlassian/confluence/ext/code/languages/impl/RhinoLanguageParser.class The ‘script’ variable will be formed and the ‘evaluateString’ method will process the payload, as illustrated in Figure 2. Figure 2: Payload evaluation by RhinoLanguageParser If we step-into the function, the ‘evaluateString’ method will further pass the control to the ‘doTopCall’ method of the ‘ScriptRuntime’ class as seen in Figure 3. So far, the behavior of both the vulnerable and fixed versions is identical. Figure 3: Execution of the payload by ScriptRuntime class The result of executing the ‘doTopCall’ method (shown in Figure 3) behaves differently in the vulnerable and fixed versions. The fixed version (8.5.9) throws a ‘RhinoException’ while executing ‘doTopCall’ jumps directly to line#92 and abruptly terminates the execution of the ‘evaluateString’ method of the ‘RhinoLanguageParser’ class, as seen in Figure 4. Thanks to enhanced checks, it prevents using Java references in the uploaded file and displays ‘java is not defined’ in an exception message. Figure 4: Abruptly terminated execution in fixed version On the other hand, the vulnerable version (8.5.0) allows the execution of the ‘doTopCall’ and hence enables the execution of the ‘evaluateString’ method of the ‘RhinoLanguageParser’ class. It also throws the ‘InvalidLanguageException’ later on, but only after executing the injected malicious Java code as seen in Figure 5. Figure 5: Malicious code execution in a vulnerable version Although both the vulnerable and fixed versions of the Confluence server display similar errors on the GUI, as seen in Figure 6, the damage has already been done in the vulnerable version. Figure 6: Common error on GUI EXPLOITATION The exploitation of this vulnerability yields the remote threat actor the ability to execute arbitrary code on the server. It has a high impact on the confidentiality, integrity and availability of the system and does not require user interaction. To achieve the remote code execution, the forged JavaScript language file with crafted payload needs to be uploaded, which will form a request as seen in the top portion of Figure 7. This request will generate a file ‘/tmp/poc’ as mentioned in the payload, as seen in the bottom portion of Figure 7. Figure 7: Malformed request(above) and RCE in vulnerable instance(below) Additionally, the payload can be modified to yield a reverse shell as seen in Figure 8. Figure 8: Achieving reverse shell SONICWALL PROTECTIONS To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released: * IPS: 4437 Atlassian Confluence Data Center and Server RCE * IPS: 4438 Atlassian Confluence Data Center and Server RCE 2 REMEDIATION RECOMMENDATIONS Considering Confluence Server’s pivotal role in maintaining an organization’s knowledge base, users are strongly encouraged to upgrade their instances to the latest versions, as mentioned in the vendor advisory. RELEVANT LINKS * Vendor advisory * POC on github * Blog by @realalphaman_ * * * * * Security News The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks. Categories: Threat intelligence Tags: Confluence Data Center and Server Remote Code Execution, Confluence Server RCE, CVE-2024-21683, RCE (Remote Code Execution) in Confluence Data Center and Server, Security News SHARE THIS ENTRY * Share on Facebook * Share on Twitter * Share on Google+ * Share on Pinterest * Share on Linkedin * Share on Tumblr * Share on Vk * Share on Reddit * Share by Mail https://d3ik27cqx8s5ub.cloudfront.net/blog/media/uploads/sec-news-header-3.png 500 1200 Security News https://blog.sonicwall.com/wp-content/uploads/images/logo/SonicWall_Registered-Small.png Security News2024-05-30 09:49:382024-05-30 10:27:46Confluence Data Center and Server Remote Code Execution Vulnerability RECOMMENDED CYBER SECURITY STORIES GE Proficy KeyHelp ActiveX Control Vulnerability (Sep 6, 2012) GarrantDecrypt ransomware operator charges $5000 for decryption. Price negotiable. New social engineering tactics by Bredolab and ZBot (Oct 30, 2009) Buffalo routers path traversal vulnerability Red Hat JBoss Data Grid Insecure Deserialization Vulnerability Flash ads hijack cliboard (Aug 21, 2008) Windows DNS Server Remote Code Execution Vulnerability CVE-2020-1350 Command Injection vulnerabilities in FreePBX Framework Connect with an Expert SEARCH FACEBOOK Recent Tags Recent * SonicWall Elevate 2024: Ready for the Next LevelMay 30, 2024 - 1:21 pm * Confluence Data Center and Server Remote Code Execution...May 30, 2024 - 9:49 am * Better Together: Integrating Microsoft Sentinel with SonicWall...May 29, 2024 - 2:33 pm * WordPress Unauthenticated Arbitrary SQL Execution Vulne...May 23, 2024 - 8:58 am Tags 802.11AC Advanced Threats Antivirus Awards Capture Cloud Platform Channel Cloud App Security CRN Cyberattack Cyber Security Cybersecurity cyberthreats DDoS Education Email Security Encrypted Attacks Encrypted Threats Endpoint Protection endpoint security Firewall Industry Awards IoT Malware MSSP Network Security news Next-Gen Firewalls next generation firewalls Phishing Ransomware Real-Time Deep Memory Inspection (RTDMI) Resources Resources RSA Conference SecureFirst Partner Program Secure Mobile Access Security Security News SMB SonicWall Capture ATP SonicWall Capture Client SonicWall WiFi Cloud Manager Threat Intelligence Threat Report zero-day ABOUT SONICWALL About Us Leadership Awards News Press Kit Careers Contact Us PRODUCTS Firewalls Advanced Threat Protection Remote Access Email Security SOLUTIONS Advanced Threats Risk Management Industries Managed Security Use Cases Partner Enabled Services CUSTOMERS How To Buy MySonicWall.com Loyalty & Trade-In Programs SUPPORT Knowledge Base Video Tutorials Technical Documentation Partner Enabled Services Support Services CSSA and CSSP Certification Training Contact Support Community © Copyright 2023 SonicWall. All Rights Reserved. * Facebook * Twitter * Linkedin * Instagram * Mail * Rss Better Together: Integrating Microsoft Sentinel with SonicWall Firewalls SonicWall Elevate 2024: Ready for the Next Level PIN IT ON PINTEREST Scroll to top