Object-Graph Navigation Language (OGNL) is an open-source component of many web applications, known for its role in the infamous Equifax attack within the Apache Struts framework. However, a new critical flaw in Atlassian Confluence, CVE-2023-22527, has made OGNL susceptible to exploitation for malicious activity. This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 10 and enables remote code execution (RCE).

The vulnerability is characterized by the following CVSS score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

By exploiting this flaw, an unauthenticated attacker has the potential to exploit a template injection vulnerability found in older versions of Confluence Data Center and Server, enabling RCE on the affected instance. Over 600 IP addresses were observed initiating thousands of attempts to exploit CVE-2023-22527, as reported by the non-profit security organization Shadowserver in a Twitter post.

The more recent supported versions of Confluence Data Center and Server, specifically version 8.5.4, have effectively addressed this vulnerability through routine version updates. Additionally, the newly released version, 8.5.5, provides complete mitigation against this vulnerability. Users are strongly encouraged to update to the latest version to ensure maximum security.

Affected versions

As per the vendor’s advisory, the CVE-2023-22527 vulnerability affects the following versions of Confluence Data Center and Server:

Product Affected Versions
Confluence Data Center and Server
  • 8.0.x 
  • 8.1.x 
  • 8.2.x 
  • 8.3.x 
  • 8.4.x 
  • 8.5.0 – 8.5.3

There are no known workarounds. To remediate this vulnerability, update each affected product installation to the following fixed versions:

  • Confluence Data Center and Server – 8.5.4 (LTS)
  • Confluence Data Center – 8.6.0 or later (Data Center only) and 8.7.1 or later (Data Center only)

Technical breakdown

OGNL is an expression language that is used to create server-side templates, and web applications frequently use these templates to embed dynamic content in web pages and emails. Different template engines — for example, FreeMarker, Velocity, or Thymeleaf — are used to generate these templates.

Template injection occurs when user-supplied input is improperly handled due to a ­lack of sufficient sanitization. However, it has been found that certain template files in Confluence accept parameters and pass them to potentially dangerous sinks. One of these files, for example, is confluence/template/xhtml/pagelist.vm, which accepts #set ($pageList = $stack.findValue(“$parameters.pages”)), as shown in Figure 1.

Leave a Reply

Your email address will not be published. Required fields are marked *