-
Public Security Vulnerability
-
Resolution: Fixed
-
High
-
6.1.0
-
None
-
8.5
-
High
-
CVE-2023-22508
-
Bug Bounty
-
a private user
-
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
-
RCE (Remote Code Execution)
-
Confluence Data Center, Confluence Server
This High severity RCE (Remote Code Execution) vulnerability known as CVE-2023-22508 was introduced in version 6.1.0 of Confluence Data Center & Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction.
Atlassian recommends that you upgrade your instance to avoid this bug using the following options:
- Upgrade to a Confluence feature release greater than or equal to 8.2.0 (ie: 8.2, 8.2, 8.4, etc...)
- Upgrade to a Confluence 7.19LTS bugfix release greater than or equal to 7.19.8 (ie: 7.19.8, 7.19.9, 7.19.10, 7.19.11, etc...)
- Upgrade to a Confluence 7.13LTS bugfix release greater than or equal to 7.13.20
See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Data Center & Server from the download center (https://www.atlassian.com/software/confluence/download-archives).
If you are unable to upgrade your instance please use the following guide to workaround the issue https://confluence.atlassian.com/confkb/how-to-disable-the-jmx-network-port-for-cve-2023-22508-1267761550.html
This vulnerability was discovered by a private user and reported via our Bug Bounty program.
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[CONFSERVER-88221] RCE (Remote Code Execution) in Confluence Data Center & Server
VamsiKBC: just read the Description, you need to update:
- Upgrade to a Confluence 7.19LTS bugfix release greater than or equal to 7.19.8 (ie: 7.19.8, 7.19.9, 7.19.10, 7.19.11, etc...)
Hi
We are currenting using 7.19.5 version
Could you please let me know to mitigate CVE-2023-22508 this issue which version we need to migrate.
Please suggested LTS or any version to overcome the vulnerability issues.
A fix for this issue is available in Confluence Server and Data Center 7.13.20.
Upgrade now or check out the Release Notes to see what other issues are resolved.
Joe Red: it has been fixed in the 7.19.x at 7.19.8 so yes 7.19.11 is fixed and is an LTS (which 8.4 is not)
Hi Joe,
regarding https://confluence.atlassian.com/confkb/how-to-disable-the-jmx-network-port-for-cve-2023-22508-1267761550.html, your assumption is correct:
If you're running an affected version of Confluence, you're only vulnerable if you currently have a TCP port enabled for JMX, as outlined in Live Monitoring Using the JMX Interface. TCP ports for JMX are not configured by default in Confluence.
Joe Red: 7.17.4 is old and unsupported so prone to other vulnerabilities. I would recommend you to migrate to an LTS such as 7.19.11
Checking my environment variables on each of my Confluence nodes for version 7.17.4, I don't have any jmxremote values.
I'm assuming this means that I am not vulnerable to this finding. Would that be a proper assumption?
Please advise.
Paridhi Jha
7.13.1 is clearly not fixed. There isn't currently a fix for 7.13.x but Atlassian support mentionned it should be included in a 7.13.x release soon (august?)
If you're really running 7.13.1, this is quite an old release with several other security issue. I would update to 7.13.19 and once a new release fixing this particular issue is available, update to it (either 7.13.20 or 7.13.21, whatever which one will include it, it should be one of the last 7.13.x release as it's going EOL at the mid August)
Hello,
Can anyone clearly confirm if 7.13.1 Data Center LTS version is fixed and Does 7.13.1 Data Center LTS version require any patch fixing?
Hello!
- If we are using a VPN are we still vulnerable?
- What impact could it have to turn the JMX off?
Thank you!
JMX is enabled by default with no full out disable option in UI. To disable it you would need to add -Dconfluence.jmx.disabled=true to your setenv file and restart Confluence to disable the exporter. The UI does not disable it all together, there are still exportable metrics left as it also reports JVM stats over the JMX port.
See https://confluence.atlassian.com/doc/recognized-system-properties-190430.html for info about the property.
Hi Frank,
In older versions (pre-8.1 I believe), there is no option to disable JMX from the UI. I think that if you don't have any JVM start-up options to enable remote JXM monitoring (ports, authentication etc), you shouldn't do anything explicitly to disable it. But it is better to have some guidance from Michael on this.
Shouldn't it be sufficient just to disable JMX in the UI? General Configuration > Monitoring > JMX monitoring? This would prevent the need to restart Confluence in the rare cases where the server isn't protected by a reverse proxy/firewall.
https://confluence.atlassian.com/doc/live-monitoring-using-the-jmx-interface-150274182.html
Hi,
can anyone confirm, that this CVE only affects instances where remote JMX monitoring is enabled? And if so, how can we verify, that remote monitoring is disabled? We could not find any clear documentation about the default behaviour of the remote jmx monitoring.
Thanks and best regards.
Dear Customers,
Thank you for your patience on this issue. I’m looking to answer some of your questions that have cropped up over the past few days.
Firstly, we have urgently worked on a fix for the 7.13LTS release series and are targeting 7.13.20 which should be available shortly in early August.
Our apologies for having this issue closed, I understand how this isn't very clear. It’s been closed because the vulnerability report was published to the public which is a closed state for this issue type. Please take my assurance that we have merged the fix targeting 7.13.20. We are working internally to improve the process for how “Public Security Vulnerability” issues such as this should work in the future to better avoid a situation such as this.
For those currently unable to upgrade to a version with a fix available, there is a workaround for this issue. For a workaround please perform either of the following:
- Turn off JMX via JVM startup options
- Lockdown JMX port connections to only be locally accessible within your private network, and not publicly available
There are many questions regarding if you are on a fixed version of the product, there’s a detailed explanation regarding what is currently fixed below in this comment. Code analysis has shown us that the earliest version of Confluence affected by this vulnerability was 6.1.0, the issue has been updated to reflect this. For questions about upgrading to a fixed version please contact our support team.
Kind regards,
Michael Andreacchio
Confluence DC Product Management
This will install Confluence 7.19.11 on your computer.
OK [o, Enter], Cancel [c]
RE: "If you are running on a Confluence 7.13LTS you are still affected by this bug and we are currently working on delivering a fix on 7.13"
Dear Michael and the Atlassian Team,
I hope this message finds you well. I wanted to follow up on the recent announcement regarding the bug affecting Confluence 7.13LTS and its fix. While I understand that addressing such issues can be complex and time-consuming, there are growing concerns among users due to the lack of updates on the situation.
The initial post raised awareness of the bug's existence, which is important for transparency and ensuring users can take necessary precautions. However, it's equally critical to keep users informed about the progress and expected timeline for delivering the fix. Five days have passed without any updates or responses to users' comments, which may lead to frustration and uncertainty.
As users of Confluence, we greatly value the security and reliability of the platform. Given the public nature of the announcement, there is a heightened risk of potential exploitation by malicious actors who are now aware of the vulnerability. We sincerely hope that Atlassian can expedite the resolution process and provide users with an estimated time frame for the fix's delivery.
I understand that you are diligently working to resolve the issue, and I appreciate your efforts in keeping our data and systems safe. Regular updates, even if it's just to acknowledge the ongoing work, will go a long way in reassuring the community that the matter is being addressed.
Thank you for your attention to this matter, and I look forward to receiving updates soon.
Best regards,
Dina Goncharenko
Is there a workaround available in case it's not possible to update your environment?
Everything below 7.19.8 is also affected by this CVE. 7.19.8 up to and including 7.19.11 is safe. 7.20.x is again vulnerable up until 8.2.0.
For 7.13.x I see a release on the 18th of July in the form of 7.13.19 that probably has the fix as it is the same date as the CVE was known to Atlassian, but this is speculation in my part and not confirmed by atlassian.
Will you be working on a patch for version 7.13x?
Your support wrote that you will work on a fix for version 7.13.x and you close the ticket !!
Atlassian, please REOPEN the ticket, fulfil your duty and provide a patch/update for 7.13.
Are there any Indicators of Compromise that we can search for in the logs?
Could you please explain more in detail what does "authenticated attacker" mean? Does it mean a user account and known pw is necessary?
I'm with the others on 7.13.x – still an active LTS for a bit longer... watching here for a work around or a patch.
Is 7.13.x going to be patched?
Sure, it will reach EOL in mid-August, but it is still an LTS version and we are not fully ready yet to make the jump to 7.19.x
Please confirm if 7.13 will receive patch for this CVE.
Hi,
As the fix for this Vulnerability is in LTS v7.19.8, please let us know whether we have to upgrade to v7.19.8 or the latest LTS v7.19.11 ?
Thanks!
Hi @mandreacchio,
It's still not clear to me whether our customers are affected or not.
The description says the error was introduced with 7.19.0. At the beginning only version above 7.19.8 were affected. Then in the meantime 7.19.0 to 7.19.8 were affected. In your comment you say that 7.13.x is completely affected. The ticket says affects version 7.4.0.
Could you please clarify the version range that is affected?
For example, is version 7.18.3 affected or not?
Best Regards
Edgar König
FYI:
In my understanding of https://jira.atlassian.com/browse/CONFSERVER-88265 it is better to minimum update to Confluence 8.3.2 for non LTS installations?
Please correct me, if I'm wrong.
Dear Customers,
Our team has gone back and tested if this is exploitable in previous versions of Confluence and can now confirm this has been in the product at least since 7.4.0, I've updated the ticket to reflect the affected version. To clear up any confusion, please see the following regarding if you are affected by this bug:
- If you are running on a Confluence feature release greater than or equal to 8.2.0 you are not affected by this bug (ie: 8.2, 8.2, 8.4, etc...)
- If you are running on a Confluence 7.19LTS bugfix greater than or equal to 7.19.8 you are not affected by this bug (ie: 7.19.8, 7.19.9, 7.19.10, 7.19.11, etc...)
- If you are running on a Confluence 7.13LTS you are still affected by this bug and we are currently working on delivering a fix on 7.13
We currently do not have workarounds for this bug. We recommend that if you need to mitigate this issue please upgrade to 7.19.8LTS or above (the latest 7.19LTS bugfix release is currently 7.19.11) or to 8.2.0 feature release or above.
Our apologies for not having the data structured well on this issue before the announcement went out, we will ensure we do better next time.
Kind regards,
Michael Andreacchio
Confluence DC Product Management
Hello @Michael Andreacchio!
I'm confused, I'm running Version 7.19.11 am I affected or not?
If I'm affected, how do I fix my issue? Do I have to downgrade to 7.19.8?
Probably not.
7.19.x is still a supported LTS release, will you release a Version 7.19.12 that includes a fix?
Thank you very much in advance. 
Version 7.19.8 is not affected please refer to Release Notes: https://confluence.atlassian.com/doc/issues-resolved-in-7-19-8-1229036579.html
is now official that this VUL is fixed with version from 7.19.8? 
I'd like to draw attention to the fact that yesterday's news was: Introduced in 7.19.8 and no known fix for the LTS-release.
Whereas current status is: Introduced in 7.19.0 and fixed in 7.19.8.
So this might be some good news for those commenters desperately asking for an LTS fix.
--
Edit: Thanks to Michael Andreacchio - who posted at the same time of my comment - for the clarification. 
Dear Customers,
Please accept our apology for not updating and aligning this ticket's data. We've taken a look through our trackers and pull requests to confirm that this issue was fixed in 7.19.8 but the Fix Version simply was not applied in this case. I've gone and fixed the affects-version and fix-version of this issue to align it with what's been shipped in our code base.
Kind regards,
Michael Andreacchio
Confluence DC Product Management
Hi,
I have several questions about this. Is only Versino 7.19.8 affected? Or all versions from 7.19.8 onwards?
When is the backport of the fix coming for LTS ? If the vulnerability has been known since 26.06.2023, a solution should have been implemented in the 7.19.11 release at the latest.
Please fix LTS asap!
VamsiKBC: to get the latest 7.19.x, which is currently 7.19.12
https://confluence.atlassian.com/doc/confluence-7-19-release-notes-1141976784.html