January 17, 2024 at 10:30AM
Atlassian warns of a critical vulnerability in out-of-date Confluence Data Center and Server versions allowing remote code execution (RCE) without authentication, with a CVE-2023-22527 (CVSS score of 10). This template injection flaw impacts Confluence 8 versions released before Dec. 5, 2023. Atlassian advises immediate patching and recommends updating to the latest Confluence versions.
Based on the meeting notes, here are the key takeaways:
1. Atlassian has warned of a critical vulnerability in out-of-date Confluence Data Center and Server versions that could be exploited for remote code execution (RCE) without authentication, tracked as CVE-2023-22527 with a CVSS score of 10.
2. The vulnerability is a template injection flaw that has been mitigated in supported versions of Confluence during regular updates.
3. It is recommended that customers using an affected version take immediate action and patch each affected installation to the latest available version, particularly Confluence 8 versions released before Dec. 5, 2023, and Confluence version 8.4.5.
4. There are no workarounds available for this bug, and even Confluence instances not directly accessible from the internet might be at risk.
5. It is urged that customers update to the latest Confluence versions (8.5.5 LTS and 8.7.2), as the patches will also be backported to all LTS versions that have not reached end-of-life.
6. The latest Confluence versions also contain fixes for other high-severity vulnerabilities, including RCE bugs and a denial-of-service (DoS) flaw in a third-party component. Atlassian recommends patching instances to the latest version to fix all vulnerabilities in the January 2024 security bulletin.
7. Atlassian makes no mention of these vulnerabilities being exploited in the wild but notes that Confluence flaws are often targeted by threat actors.
These takeaways highlight the urgent need for action on the part of customers to address the critical vulnerabilities and apply necessary patches to their Confluence instances.