Skip to content Skip to footer

Critical CVEs in Outdated Versions of Atlassian Confluence and VMware vCenter Server

This week, Rapid7 draws attention to two significant vulnerabilities in outdated versions of commonly used software. Atlassian has disclosed CVE-2023-22527, a template injection in the Confluence Server. This has a CVSS score of 10, the highest possible score. Meanwhile, VMware has released a new update to its October 2023 vCenter Server advisory on CVE-2023-34048, noting that this has been exploited in the wild. As of January 21, CVE-2023-22527 is also being used in the wild.

Many companies use VMware and Atlassian technologies, which have previously been targeted by various adversaries, including large-scale ransomware attacks. Rapid7 is urging customers to ensure that they are using supported, fixed versions of vCenter Server and Confluence Server in their environments. They should also follow a high-urgency patching schedule for these products whenever possible.

VMware vCenter Server CVE-2023-34048

A critical out-of-bounds write , CVE-2023-34048, has been identified in VMware vCenter Server and VMware Cloud Foundation. The has been caused due to an out-of-bounds write flaw in vCenter's implementation of DCERPC. If exploited successfully, the could result in remote code execution. The was first disclosed in October 2023, with fixed versions available for several end-of-life products. Recently, VMware updated its advisory to report that CVE-2023-34048 has been exploited in the wild. Fixed versions of the vCenter Server that address CVE-2023-34048 have been available since October 2023. 

As per VMware's advisory, all versions of vCenter Server, except the following fixed versions (or later) 8.0U28.0U1d7.0U3o, are vulnerable to CVE-2023-34048. If not already done, customers should update their systems immediately. Patches are also available for the following end-of-life versions of vCenter Server: 6.7U3, 6.5U3, and VCF 3.x. VMware has provided information on how to apply individual product updates to Cloud Foundation environments here.

For more information on CVE-2023-34048, please refer to VMware's original advisory and FAQ. A list of available vCenter Server versions and builds can be found here.

Atlassian Confluence Server and Data Center CVE-2023-22527

Please take note of the following information:

There is a critical template injection in Atlassian Confluence known as CVE-2023-22527. This can lead to unauthenticated remote code execution in vulnerable target environments. As of January 22, multiple sources have reported successfully exploiting the . Rapid7 Labs has also observed attempted exploitation in both honeypot and production environments.

The affected versions of Atlassian Confluence, as per Atlassian's advisory, are as follows: 

8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3. 

As of January 16, 2024, the most recent supported versions of Confluence Server are not affected. The fixed versions for Confluence Server are 8.5.4 and 8.5.5, which have long-term support. For Confluence Data Center, the corrected versions are 8.6.0, 8.7.1, and 8.7.2, which apply to Confluence Data Center only.

We strongly advise all Atlassian Confluence customers to update to the latest version in their product's version stream. Please refer to the vendor advisory for the most recent information on affected products and fixed versions. 

Vulnerability checks for CVE-2023-34048 have been available to InsightVM and Nexpose customers since October 27, 2023. Vulnerability checks for CVE-2023-22527 have been known to InsightVM and Nexpose customers since January 17, 2024.

A Velociraptor artifact to hunt for evidence of Confluence CVE-2023-22527 exploitation is available here.

January 22, 2024: As of January 22, multiple sources report exploitation of Atlassian Confluence Server and Data Center CVE-2023-22527.

January 23, 2024: Rapid7 Labs has observed attempted exploitation of Atlassian Confluence CVE-2023-22527 in both honeypot and production environments.

January 26, 2024: Added Velociraptor artifact for detecting evidence of Confluence Server exploitation.

ProxyLogon Scanner – Detect CVE-2021-26855 vulnerability with Pentest-Tools.com. https://pentest-tools.com/network-vulnerability-scanning/proxylogon-scanner

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

What you see on these screens up here is a fantasy; a computer enhanced hallucination!Stephen Falken

Deitasoft © 2024. All Rights Reserved.