BI.ZONE WAF counters new vulnerability in Confluence

In late May, Atlassian disclosed a new severe vulnerability that exists in multiple versions of their Confluence Data Center and Server. BI.ZONE WAF specialists quickly responded with a rule for detecting illegitimate activity and preventing the exploitation of the vulnerability

May 27, 2024

Known as CVE-2024-21683, the vulnerability enables adversaries to execute arbitrary code and gain access to Confluence’s server. This has severe implications for confidentiality, integrity, and availability of the users’ data stored in the Confluence wiki system. While early information about CVE-2024-21683 appeared on May 21, at least three examples of exploitation (PoC) became available two days later.

BI.ZONE WAF specialists have developed a rule that detects programming language semantics in user‑supplied data, such as Runtime.getRuntime().exec() in Java. Anomalous requests are blocked to prevent attackers from executing arbitrary code on the Confluence server.

The new vulnerability is rated at 8.3 out of 10 points (high severity) on the CVSS scale. To run an RCE attack on a vulnerable server, a threat actor must be authenticated. However, there are already at least five attack vectors where CVE-2024-21683 is coupled with authentication bypass techniques.

Confluence is one of the most popular applications targeted by adversaries. It accounts for 21% of the web attacks we tracked in the first four months of 2024. Therefore, protection against the new vulnerability is important to maintain the security of the wiki system. If a company does not have the ability to upgrade Confluence Data Center and Server to the latest version, BI.ZONE WAF will help to protect the wiki system from such attacks.

Dmitry Tsarev

Head of Cloud Security Solutions, BI.ZONE

The vulnerability has been fixed in LTS versions 8.5.9 and 7.19.22, and in Confluence Data Center 8.9.1. Earlier versions are affected: 8.9.0; 8.8.0, and 8.8.1; 8.7.1 and 8.7.2; 8.6.0 through 8.6.2; 8.5.0 through 8.5.8 (LTS); 8.4.0 through 8.4.5; 8.3.0 through 8.3.4; 8.2.0 through 8.2.3; 8.1.0 through 8.1.4; 8.0.0 through 8.0.4; 7.20.0 through 7.20.3; and 7.19.0 through 7.19.21 (LTS).

Our other teams have also developed special rules to counter the new vulnerability. BI.ZONE TDR now has correlation rules to detect post‑exploitation of CVE-2024-21683, while BI.ZONE CPT has been enriched with rules to detect the vulnerability during active scans.