A remote code execution vulnerability (CVE-2024-21683) in Atlassian Confluence Data Center and Server allows an authenticated attacker with macro-language privileges to run arbitrary Java code on the server. SonicWall Capture Labs details the exploitation flow, impact, protections, and remediation, urging upgrades to fixed versions. #CVE-2024-21683 #ConfluenceDataCenter #ConfluenceServer #RhinoLanguageParser #Atlassian
Keypoints
- The vulnerability affects Confluence Data Center and Server versions prior to fixed releases (8.9.1 for data center, 8.5.9 LTS, and 7.19.22 LTS) and requires an authenticated attacker with the privilege to add new macro languages.
- Root cause is a flaw in input validation within the “Add a new language” function of the “Configure Code Macro” section, allowing malicious code to be uploaded and executed.
- Attack flow begins with uploading a forged language file containing malicious Java code via Configure Code Macro > Add a new language.
- The payload is processed by RhinoLanguageParser.parseLanguage and evaluated by the ScriptRuntime, enabling the attacker to run Java code on the server.
- The vulnerability yields remote code execution with high impact on confidentiality, integrity, and availability, and does not require user interaction.
- Fixed versions (e.g., 8.5.9) implement enhanced checks and block Java references in uploaded files, preventing exploitation.
- SonicWall provides IPS signatures to detect and block this activity and recommends upgrading to latest versions per the advisory.
MITRE Techniques
- [T1190] Exploitation of Public-Facing Application – The vulnerability in Confluence Data Center and Server is exploited to achieve remote code execution on the server. ‘The exploitation of this vulnerability yields the remote threat actor the ability to execute arbitrary code on the server.’
- [T1059.007] Java – The attacker supplies a forged JavaScript language file containing malicious Java code that is uploaded and executed on the server via RhinoLanguageParser. ‘The forged JavaScript language file containing malicious Java code needs to be uploaded to the Configure Code Macro > Add a new language’ and ‘java.lang.Runtime.getRuntime().exec(”touch /tmp/poc”)’ are used to run code on the server.
Indicators of Compromise
- [File] /tmp/poc – Created as a result of the payload execution on the server.
- [URL] https://d3ik27cqx8s5ub.cloudfront.net/blog/media/uploads/1.add_language-1030×502.png – Asset URL referenced during the exploit flow (Figure 1).
- [URL] https://d3ik27cqx8s5ub.cloudfront.net/blog/media/uploads/2.payload_eval-1-1030×719.png – Asset URL related to payload evaluation (Figure 2).
- [URL] https://confluence.atlassian.com/security/security-bulletin-may-21-2024-1387867145.html – Advisory URL linked in the article.