Product Changelog

Wallarm has added rules for detecting exploitation of a critical Server-Side Template Injection (SSTI) vulnerability in Confluence Data Center and Server (CVE-2023-22527). The vulnerability allows an unauthenticated attacker to inject OGNL expressions into the Confluence instance and, thus, execute arbitrary code in the system. Since the nuclei template for vulnerability detection was published, we have observed multiple scanning attempts in client infrastructure. 

We highly recommend upgrading the Confluence Data Center and Server as soon as possible. If your confluence installation is exposed to the Internet, we highly recommend detaching the system from the Internet as soon as possible and checking the server for malicious Indicators-of-Compromise. 

Wallarm clients can also utilize and configure the platform's Virtual Patch functionality to block the exploitation attempts if nodes are configured in monitoring (not-blocking) mode. 

References:

NVD NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-22527 

Vendor’s Advisory: https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html

Vendor’s FAQ: https://confluence.atlassian.com/kb/faq-for-cve-2023-22527-1332810917.html

Nuclei Template: https://github.com/projectdiscovery/nuclei-templates/pull/8982?ref=blog.projectdiscovery.io