blog.sonicwall.com Open in urlscan Pro
107.154.76.50  Public Scan

Form analysis
1 forms found in the DOM

GET https://blog.sonicwall.com/en-us/

<form action="https://blog.sonicwall.com/en-us/" id="searchform" method="get" class="">
  <div>
    <input type="submit" value="" id="searchsubmit" class="button avia-font-entypo-fontello">
    <input type="text" id="s" name="s" value="" placeholder="Search">
  </div>
</form>

Text Content

 * Home
 * Topics
   * All Posts
   * Boundless Cybersecurity
   * BYOD and Mobile Security
   * Cloud Security
   * Education
   * Email Security
   * Government
   * Healthcare
   * Industry News and Events
   * Network Security
   * Partners
   * Retail
   * Small & Medium Businesses
   * SonicWall Community
   * Threat intelligence
   * Wireless Security
 * Authors
 * English
 * Search
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * Menu

 * Facebook
 * Twitter
 * Linkedin
 * Instagram
 * Mail
 * Rss




CONFLUENCE DATA CENTER AND SERVER REMOTE CODE EXECUTION VULNERABILITY




By Security News
May 30, 2024


OVERVIEW

The SonicWall Capture Labs threat research team became aware of a remote code
execution vulnerability in the Atlassian Confluence Data Center and Server,
assessed its impact and developed mitigation measures. Confluence Server is a
software to manage documentation and knowledge bases with an ubiquitous presence
across the globe. Identified as CVE-2024-21683, Confluence Data Center and
Server before version 8.9.1(data center only), 8.5.9 LTS and 7.19.22 LTS allows
an authenticated threat actor with the privilege of adding new macro languages
to execute arbitrary code, earning a high CVSS score of 8.3. Confluence users
are encouraged to upgrade their instances to the latest fixed version, as
mentioned by the vendor in the advisory.


TECHNICAL OVERVIEW

This vulnerability arises due to a flaw in the input validation mechanism in the
‘Add a new language’ function of the ‘Configure Code Macro’ section. This
function allows users to upload a new code block macro language definition to
customize the formatting and syntax highlighting. It expects the Javascript file
to be formatted according to the custom brush syntax. Insufficient validation
allows the authenticated attacker to inject malicious Java code embedded in a
file, such as java.lang.Runtime.getRuntime().exec(”touch /tmp/poc”) , which will
be executed on the server.


TRIGGERING THE VULNERABILITY

Leveraging the vulnerability mentioned above requires the attacker to meet the
below prerequisites.

 1. The attacker must have network access to the target vulnerable system.
 2. The attacker must have the privilege to add new macro languages.
 3. The forged JavaScript language file containing malicious Java code needs to
    be uploaded to the Configure Code Macro > Add a new language

The following steps will walk through the process of exploitation and the
measures taken to address the vulnerability in the updated version. We used
Confluence versions 8.5.0 and 8.5.9 in our tests.

To begin with, the attacker uploads the language file containing malicious Java
code (similar to the one mentioned above) on the page seen in Figure 1.



Figure 1: Add a new language page

The payload will be sent for evaluation to the ‘parseLanguage’ method of the
‘RhinoLanguageParser’ class, which can be found at the below location:

WEB-INF/atlassian-bundled-plugins/com.atlassian.confluence.ext.newcode-macro-plugin-5.0.1.jar!/com/atlassian/confluence/ext/code/languages/impl/RhinoLanguageParser.class

The ‘script’ variable will be formed and the ‘evaluateString’ method will
process the payload, as illustrated in Figure 2.



Figure 2: Payload evaluation by RhinoLanguageParser

If we step-into the function, the ‘evaluateString’ method will further pass the
control to the ‘doTopCall’ method of the ‘ScriptRuntime’ class as seen in Figure
3. So far, the behavior of both the vulnerable and fixed versions is identical.



Figure 3: Execution of the payload by ScriptRuntime class

The result of executing the ‘doTopCall’ method (shown in Figure 3) behaves
differently in the vulnerable and fixed versions. The fixed version (8.5.9)
throws a ‘RhinoException’ while executing ‘doTopCall’ jumps directly to line#92
and abruptly terminates the execution of the ‘evaluateString’ method of the
‘RhinoLanguageParser’ class, as seen in Figure 4. Thanks to enhanced checks, it
prevents using Java references in the uploaded file and displays ‘java is not
defined’ in an exception message.



Figure 4: Abruptly terminated execution in fixed version

On the other hand, the vulnerable version (8.5.0) allows the execution of the
‘doTopCall’ and hence enables the execution of the ‘evaluateString’ method of
the ‘RhinoLanguageParser’ class. It also throws the ‘InvalidLanguageException’
later on, but only after executing the injected malicious Java code as seen in
Figure 5.



Figure 5: Malicious code execution in a vulnerable version

Although both the vulnerable and fixed versions of the Confluence server display
similar errors on the GUI, as seen in Figure 6, the damage has already been done
in the vulnerable version.



Figure 6: Common error on GUI


EXPLOITATION

The exploitation of this vulnerability yields the remote threat actor the
ability to execute arbitrary code on the server. It has a high impact on the
confidentiality, integrity and availability of the system and does not require
user interaction.

To achieve the remote code execution, the forged JavaScript language file with
crafted payload needs to be uploaded, which will form a request as seen in the
top portion of Figure 7. This request will generate a file ‘/tmp/poc’ as
mentioned in the payload, as seen in the bottom portion of Figure 7.





Figure 7: Malformed request(above) and RCE in vulnerable instance(below)

Additionally, the payload can be modified to yield a reverse shell as seen in
Figure 8.



Figure 8: Achieving reverse shell


SONICWALL PROTECTIONS

To ensure SonicWall customers are prepared for any exploitation that may occur
due to this vulnerability, the following signatures have been released:

 * IPS: 4437 Atlassian Confluence Data Center and Server RCE
 * IPS: 4438 Atlassian Confluence Data Center and Server RCE 2


REMEDIATION RECOMMENDATIONS

Considering Confluence Server’s pivotal role in maintaining an organization’s
knowledge base, users are strongly encouraged to upgrade their instances to the
latest versions, as mentioned in the vendor advisory.


RELEVANT LINKS

 * Vendor advisory
 * POC on github
 * Blog by @realalphaman_

 * 
 * 
 * 
 * 
 * 

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets
cross-vector threat information from the SonicWall Capture Threat network,
consisting of global devices and resources, including more than 1 million
security sensors in nearly 200 countries and territories. The research team
identifies, analyzes, and mitigates critical vulnerabilities and malware daily
through in-depth research, which drives protection for all SonicWall customers.
In addition to safeguarding networks globally, the research team supports the
larger threat intelligence community by releasing weekly deep technical analyses
of the most critical threats to small businesses, providing critical knowledge
that defenders need to protect their networks.
Categories: Threat intelligence
Tags: Confluence Data Center and Server Remote Code Execution, Confluence Server
RCE, CVE-2024-21683, RCE (Remote Code Execution) in Confluence Data Center and
Server, Security News

SHARE THIS ENTRY

 * Share on Facebook
 * Share on Twitter
 * Share on Google+
 * Share on Pinterest
 * Share on Linkedin
 * Share on Tumblr
 * Share on Vk
 * Share on Reddit
 * Share by Mail



https://d3ik27cqx8s5ub.cloudfront.net/blog/media/uploads/sec-news-header-3.png
500 1200 Security News
https://blog.sonicwall.com/wp-content/uploads/images/logo/SonicWall_Registered-Small.png
Security News2024-05-30 09:49:382024-05-30 10:27:46Confluence Data Center and
Server Remote Code Execution Vulnerability


RECOMMENDED CYBER SECURITY STORIES

GE Proficy KeyHelp ActiveX Control Vulnerability (Sep 6, 2012)
GarrantDecrypt ransomware operator charges $5000 for decryption. Price
negotiable.
New social engineering tactics by Bredolab and ZBot (Oct 30, 2009)
Buffalo routers path traversal vulnerability
Red Hat JBoss Data Grid Insecure Deserialization Vulnerability
Flash ads hijack cliboard (Aug 21, 2008)
Windows DNS Server Remote Code Execution Vulnerability CVE-2020-1350
Command Injection vulnerabilities in FreePBX Framework
Connect with an Expert


SEARCH




FACEBOOK


Recent
Tags
Recent
 * SonicWall Elevate 2024: Ready for the Next LevelMay 30, 2024 - 1:21 pm
 * Confluence Data Center and Server Remote Code Execution...May 30, 2024 - 9:49
   am
 * Better Together: Integrating Microsoft Sentinel with SonicWall...May 29, 2024
   - 2:33 pm
 * WordPress Unauthenticated Arbitrary SQL Execution Vulne...May 23, 2024 - 8:58
   am

Tags
802.11AC Advanced Threats Antivirus Awards Capture Cloud Platform Channel Cloud
App Security CRN Cyberattack Cyber Security Cybersecurity cyberthreats DDoS
Education Email Security Encrypted Attacks Encrypted Threats Endpoint Protection
endpoint security Firewall Industry Awards IoT Malware MSSP Network Security
news Next-Gen Firewalls next generation firewalls Phishing Ransomware Real-Time
Deep Memory Inspection (RTDMI) Resources Resources RSA Conference SecureFirst
Partner Program Secure Mobile Access Security Security News SMB SonicWall
Capture ATP SonicWall Capture Client SonicWall WiFi Cloud Manager Threat
Intelligence Threat Report zero-day


ABOUT SONICWALL

About Us
Leadership
Awards
News
Press Kit
Careers
Contact Us


PRODUCTS

Firewalls
Advanced Threat Protection
Remote Access
Email Security


SOLUTIONS

Advanced Threats
Risk Management
Industries
Managed Security
Use Cases
Partner Enabled Services


CUSTOMERS

How To Buy
MySonicWall.com
Loyalty & Trade-In Programs


SUPPORT

Knowledge Base
Video Tutorials
Technical Documentation
Partner Enabled Services
Support Services
CSSA and CSSP Certification Training
Contact Support
Community

© Copyright 2023 SonicWall. All Rights Reserved.
 * Facebook
 * Twitter
 * Linkedin
 * Instagram
 * Mail
 * Rss

Better Together: Integrating Microsoft Sentinel with SonicWall Firewalls
SonicWall Elevate 2024: Ready for the Next Level




PIN IT ON PINTEREST


Scroll to top