[CONFSERVER-93169] DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml in Confluence Data Center and Server

Type: Public Security Vulnerability
Resolution: Fixed
Priority: High
Fix Version/s: 8.6.0, 8.5.4, 7.19.17
Affects Version/s: 7.13.0, (53)
7.13.1, 7.13.2, 7.13.3, 7.13.4, 7.13.5, 7.13.6, 7.13.7, 7.13.8, 7.13.9, 7.13.10, 7.13.11, 7.13.12, 7.19.0, 7.19.1, 7.19.2, 7.19.3, 7.19.4, 7.19.5, 8.1.0, 8.2.0, 8.3.0, 8.5.0, 7.13.13, 7.19.6, 7.13.14, 8.1.1, 7.13.15, 7.13.16, 7.13.17, 7.13.18, 7.13.19, 7.19.7, 7.19.8, 7.19.9, 7.19.10, 7.19.11, 8.1.3, 8.2.1, 8.1.4, 8.2.2, 8.2.3, 8.3.1, 8.3.2, 7.13.20, 7.19.12, 8.5.1, 7.19.14, 8.5.2, 7.19.15, 7.19.16, 8.3.3, 8.5.3, 8.3.4
Component/s: None
Labels:

CVSS Score:
7.5
CVSS Severity:
High
CVE ID:
CVE-2022-28366
Vulnerability Source:
Atlassian (Internal)
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Classes:

DoS (Denial of Service)
Affected Product(s):

Confluence Data Center, Confluence Server

This High severity Third-Party Dependency vulnerability was introduced in versions 7.13.0, 7.19, 8.1.0, 8.2.0, 8.3.0 and 8.5 of Confluence Data Center and Server.

This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.

Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

Confluence Data Center and Server 8.6: Upgrade to a release greater than or equal to 8.6.0

See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives).

The National Vulnerability Database provides the following description for this vulnerability: Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...

Cathy S made changes - 30/Apr/2024 4:09 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 899986 ]

Cathy S made changes - 19/Apr/2024 5:22 PM

Remote Link

Original: This issue links to "Page (Confluence)" [ 880439 ]

Cathy S made changes - 14/Mar/2024 6:29 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 880552 ]

Cathy S made changes - 14/Mar/2024 5:22 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 880439 ]

Cathy S made changes - 13/Mar/2024 5:55 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 880202 ]

psytester added a comment - 30/Jan/2024 10:15 PM

Here a Jira Server 9.4.15 LTS from 03.01.2024 is installed

I see two outdated JAR files

find /opt/atlassian -name "*neko*.jar"

/opt/atlassian/jira/atlassian-jira/WEB-INF/lib/nekohtml-1.9.19.jar
/opt/atlassian/jira/atlassian-jira/WEB-INF/atlassian-bundled-plugins/nekohtml-1.9.12-1.jar

and some plugin JARs embedding the nekohtml directly

find /var/atlassian/ -name "*.jar" | xargs grep neko 2>/dev/null

/var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/streams-aggregator-plugin-9.1.6_1704274718000.jar
/var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/streams-core-plugin-9.1.6_1704274718000.jar
/var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/jira-portfolio-9.4.15_1704274718000.jar
/var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/jira-languages-9.4.15-en_UK_1704274718000.jar
/var/atlassian/application-data/jira/plugins/.osgi-plugins/felix/felix-cache/bundle98/version0.0/batchers-3.0.4.jar-embedded/META-INF/lib/joda-time-2.10.5.jar
/var/atlassian/application-data/jira/plugins/.osgi-plugins/felix/felix-cache/bundle100/version0.0/event-plugin-3.0.4.jar-embedded/META-INF/lib/joda-time-2.10.5.jar
/var/atlassian/application-data/jira/plugins/.osgi-plugins/felix/felix-cache/bundle99/version0.0/batching-plugin-3.0.4.jar-embedded/META-INF/lib/joda-time-2.10.5.jar
/var/atlassian/application-data/jira/plugins/.osgi-plugins/felix/felix-cache/bundle42/version0.0/atlassian-gadgets-opensocial-plugin-8.0.21.jar-embedded/META-INF/lib/shindig-gadgets-3.0.3.jar
/var/atlassian/application-data/jira/plugins/.osgi-plugins/felix/felix-cache/bundle117/version0.0/bundle.jar-embedded/META-INF/lib/joda-time-2.10.5.jar
/var/atlassian/application-data/jira/plugins/.osgi-plugins/felix/felix-cache/bundle81/version0.0/jira-projects-plugin-7.1.13.jar-embedded/META-INF/lib/joda-time-2.10.5.jar

Just one example:
streams-core-plugin-9.1.6_1704274718000.jar contains an older version without the latest fix in scanPI() method.

The payload is almoast clear for me, I "just" need the trigger for it

Create a Processing Instruction, which is not an xml target, but any other: https://github.com/sparklemotion/nekohtml/blob/1.9.22/src/org/cyberneko/html/HTMLScanner.java#L2553

The fix contains a check against last entry, while it is missing in other version: https://github.com/sparklemotion/nekohtml/blob/1.9.22/src/org/cyberneko/html/HTMLScanner.java#L2591

The whole payload line fits the DEFAULT_BUFFER_SIZE = 2048 https://github.com/sparklemotion/nekohtml/blob/1.9.22/src/org/cyberneko/html/HTMLScanner.java#L330
but does not close with the bracket

something like:

 
<?xml-stlyeshhet some_content_to_reach_pos_2048_default_buffer_size_tag="012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123

psytester added a comment - 30/Jan/2024 10:15 PM Here a Jira Server 9.4.15 LTS from 03.01.20 24 is installed I see two outdated JAR files find /opt/atlassian -name "*neko*.jar" /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/nekohtml-1.9.19.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/atlassian-bundled-plugins/nekohtml-1.9.12-1.jar and some plugin JARs embedding the nekohtml directly find /var/atlassian/ -name "*.jar" | xargs grep neko 2>/dev/null /var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/streams-aggregator-plugin-9.1.6_1704274718000.jar /var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/streams-core-plugin-9.1.6_1704274718000.jar /var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/jira-portfolio-9.4.15_1704274718000.jar /var/atlassian/application-data/jira/plugins/.osgi-plugins/transformed-plugins/jira-languages-9.4.15-en_UK_1704274718000.jar /var/atlassian/application-data/jira/plugins/.osgi-plugins/felix/felix-cache/bundle98/version0.0/batchers-3.0.4.jar-embedded/META-INF/lib/joda-time-2.10.5.jar /var/atlassian/application-data/jira/plugins/.osgi-plugins/felix/felix-cache/bundle100/version0.0/event-plugin-3.0.4.jar-embedded/META-INF/lib/joda-time-2.10.5.jar /var/atlassian/application-data/jira/plugins/.osgi-plugins/felix/felix-cache/bundle99/version0.0/batching-plugin-3.0.4.jar-embedded/META-INF/lib/joda-time-2.10.5.jar /var/atlassian/application-data/jira/plugins/.osgi-plugins/felix/felix-cache/bundle42/version0.0/atlassian-gadgets-opensocial-plugin-8.0.21.jar-embedded/META-INF/lib/shindig-gadgets-3.0.3.jar /var/atlassian/application-data/jira/plugins/.osgi-plugins/felix/felix-cache/bundle117/version0.0/bundle.jar-embedded/META-INF/lib/joda-time-2.10.5.jar /var/atlassian/application-data/jira/plugins/.osgi-plugins/felix/felix-cache/bundle81/version0.0/jira-projects-plugin-7.1.13.jar-embedded/META-INF/lib/joda-time-2.10.5.jar Just one example: streams-core-plugin-9.1.6_1704274718000.jar contains an older version without the latest fix in scanPI() method. The payload is almoast clear for me, I "just" need the trigger for it Create a Processing Instruction, which is not an xml target, but any other: https://github.com/sparklemotion/nekohtml/blob/1.9.22/src/org/cyberneko/html/HTMLScanner.java#L2553 The fix contains a check against last entry, while it is missing in other version: https://github.com/sparklemotion/nekohtml/blob/1.9.22/src/org/cyberneko/html/HTMLScanner.java#L2591 The whole payload line fits the DEFAULT_BUFFER_SIZE = 2048 https://github.com/sparklemotion/nekohtml/blob/1.9.22/src/org/cyberneko/html/HTMLScanner.java#L330 but does not close with the bracket something like: <?xml-stlyeshhet some_content_to_reach_pos_2048_default_buffer_size_tag="012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123

Christopher Vasquez added a comment - 06/Dec/2023 8:35 PM

This ticket refers to CVE-2022-24839 as possibly related. Doing a search in a local Confluence v7.19.16 LTS deployment, I found two neko based files in my <confluence-install>/confluence/WEB-INF/lib/ directory:

1) nekohtml-1.9.22-atlassian-2.jar
2) neko-htmlunit-2.67.0.jar

If related to CVE-2022-24839, I surmise Atlassian is maintaining their own Nokogiri (nekohtml-1.9.22) fork. That is a lot of work given that development for the original stopped in 2014. This CVE dates back to April 2022. This vulnerability was missed for some time...

The 2nd jar - neko-htmlunit-2.67.0 - seems to be related to CVE-2023-2798, which is vulnerable to crash by stack overflow. This is fixed in neko-htmlunit-2.70.

Based on the existence of neko-htmlunit-2.67.0.jar in the lib directory, Confluence v7.19.16 may have the vulnerable version.

I am working on attack payloads for testing.

Christopher Vasquez added a comment - 06/Dec/2023 8:35 PM This ticket refers to CVE-2022-24839 as possibly related. Doing a search in a local Confluence v7.19.16 LTS deployment, I found two neko based files in my <confluence-install>/confluence/WEB-INF/lib/ directory: 1) nekohtml-1.9.22-atlassian-2.jar 2) neko-htmlunit-2.67.0.jar If related to CVE-2022-24839, I surmise Atlassian is maintaining their own Nokogiri (nekohtml-1.9.22) fork. That is a lot of work given that development for the original stopped in 2014. This CVE dates back to April 2022. This vulnerability was missed for some time... The 2nd jar - neko-htmlunit-2.67.0 - seems to be related to CVE-2023-2798, which is vulnerable to crash by stack overflow. This is fixed in neko-htmlunit-2.70. Based on the existence of neko-htmlunit-2.67.0.jar in the lib directory, Confluence v7.19.16 may have the vulnerable version. I am working on attack payloads for testing.

Lee Berg made changes - 06/Dec/2023 7:41 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 845287 ]

Aleš Kedroutek added a comment - 04/Dec/2023 9:45 AM

Hello Atlassian,

any ETA when fixed versions would be available?

Kind regards

Aleš Kedroutek added a comment - 04/Dec/2023 9:45 AM Hello Atlassian, any ETA when fixed versions would be available? Kind regards

Sandeep Mellacheruvu added a comment - 30/Nov/2023 10:32 AM

Hi Everyone, Apologies for the confusion. There was an issue internally which led to the confusion. This issue is being fixed and will be released as part of 7.19.17 and 8.5.4. Also its already fixed as part of the 8.6.0.

Thanks & Regards

Sandeep

Sandeep Mellacheruvu added a comment - 30/Nov/2023 10:32 AM Hi Everyone, Apologies for the confusion. There was an issue internally which led to the confusion. This issue is being fixed and will be released as part of 7.19.17 and 8.5.4. Also its already fixed as part of the 8.6.0. Thanks & Regards Sandeep

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 70 Start watching this issue

Created:: 03/Nov/2023 12:45 AM

Updated:: 05/Sep/2024 12:01 AM

Resolved:: 21/Nov/2023 6:03 PM

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: psytester added a comment - 30/Jan/2024 10:15 PM

Expand comment: psytester added a comment - 30/Jan/2024 10:15 PM

Collapse comment: Christopher Vasquez added a comment - 06/Dec/2023 8:35 PM

Expand comment: Christopher Vasquez added a comment - 06/Dec/2023 8:35 PM

Collapse comment: Aleš Kedroutek added a comment - 04/Dec/2023 9:45 AM

Expand comment: Aleš Kedroutek added a comment - 04/Dec/2023 9:45 AM

Collapse comment: Sandeep Mellacheruvu added a comment - 30/Nov/2023 10:32 AM

Expand comment: Sandeep Mellacheruvu added a comment - 30/Nov/2023 10:32 AM

People

Dates