Critical CVEs in Outdated Versions of Atlassian Confluence and VMware vCenter Server

Rapid7 is highlighting two critical vulnerabilities in outdated versions of widely deployed software this week. Atlassian disclosed CVE-2023-22527, a template injection vulnerability in Confluence Server with a maxed-out CVSS score of 10, while VMware pushed a fresh update to its October 2023 vCenter Server advisory on CVE-2023-34048 to note that the vulnerability has now been exploited in the wild. As of January 21, CVE-2023-22527 is also being exploited in the wild.

VMware and Atlassian technologies are mainstays in many corporate environments, and they have historically been targeted by a wide range of adversaries, including in large-scale ransomware campaigns. Rapid7 urges customers to ensure that they are using **supported,**fixed versions of vCenter Server and Confluence Server in their environments, and that, wherever possible, they are adhering to a high-urgency patching schedule for these products.

VMware vCenter Server CVE-2023-34048

CVE-2023-34048 is a critical out-of-bounds write vulnerability that affects VMware vCenter Server and VMware Cloud Foundation. The vulnerability arises from an out-of-bounds write flaw in vCenter’s implementation of DCERPC, which, if exploited successfully, could lead to remote code execution. It was originally disclosed in October 2023 alongside fixed versions, including for several end-of-life products. Earlier this week, VMware updated their advisory to note that exploitation of CVE-2023-34048 has been observed in the wild. Fixed versions of vCenter Server that remediate CVE-2023-34048 have been available since October 2023.

Per VMware’s advisory, all versions of vCenter Server are vulnerable to CVE-2023-34048 except the followingfixed versions (or later):

• 8.0U2
• 8.0U1d
• 7.0U3o

Customers should update on an emergency basis if they have not done so before now. Patches are also available for the following end-of-life versions of vCenter Server: 6.7U3, 6.5U3, and VCF 3.x. VMware has information on applying individual product updates to Cloud Foundation environments here.

For more information, see VMware’s original advisory and FAQ. A list of vCenter Server versions and builds is available here.

Atlassian Confluence Server and Data Center CVE-2023-22527

CVE-2023-22527 is a critical template injection vulnerability in Atlassian Confluence that allows for unauthenticated remote code execution when exploited successfully in vulnerable target environments. As of January 22, multiple sources are reporting exploitation of this vulnerability. Rapid7 Labs has also observed attempted exploitation in both honeypot and production environments.

Affected versions from Atlassian’s advisory:

• 8.0.x
• 8.1.x
• 8.2.x
• 8.3.x
• 8.4.x
• 8.5.0-8.5.3

The most recent supported versionsof Confluence Server (as of January 16, 2024) are not affected. Fixed versions for Confluence Server are 8.5.4 and 8.5.5, both of which are on long-term support. For Confluence Data Center, fixed versions are 8.6.0, 8.7.1, and 8.7.2, all of which apply to Confluence Data Center only.

**We strongly recommend that Atlassian Confluence customers update to the latest version in their product’s version stream.**Customers should refer to the vendor advisory as the source of truth on affected products and fixed versions.

Rapid7 customers

Vulnerability checks for CVE-2023-34048 have been available to InsightVM and Nexpose customers since October 27, 2023. Vulnerability checks for CVE-2023-22527 have been available to InsightVM and Nexpose customers since January 17, 2024.

A Velociraptor artifact to hunt for evidence of Confluence CVE-2023-22527 exploitation is available here.

Updates

**January 22, 2024:**As of January 22, multiple sources are reporting exploitation of Atlassian Confluence Server and Data Center CVE-2023-22527.

**January 23, 2024:**Noted that Rapid7 Labs has observed attempted exploitation of Atlassian Confluence CVE-2023-22527 in both honeypot and production environments.

**January 26, 2024:**Added Velociraptor artifact for detecting evidence of Confluence Server exploitation.