BI.ZONE WAF counters new vulnerability in Confluence
Known as CVE-2024-21683, the vulnerability enables adversaries to execute arbitrary code and gain access to Confluence’s server. This has severe implications for confidentiality, integrity, and availability of the users’ data stored in the Confluence wiki system. While early information about CVE-2024-21683 appeared on May 21, at least three examples of exploitation (PoC) became available two days later.
BI.ZONE WAF specialists have developed a rule that detects programming language semantics in user‑supplied data, such as Runtime.getRuntime().exec()
in Java. Anomalous requests are blocked to prevent attackers from executing arbitrary code on the Confluence server.
The new vulnerability is rated at 8.3 out of 10 points (high severity) on the CVSS scale. To run an RCE attack on a vulnerable server, a threat actor must be authenticated. However, there are already at least five attack vectors where CVE-2024-21683 is coupled with authentication bypass techniques.
The vulnerability has been fixed in LTS versions 8.5.9 and 7.19.22, and in Confluence Data Center 8.9.1. Earlier versions are affected: 8.9.0; 8.8.0, and 8.8.1; 8.7.1 and 8.7.2; 8.6.0 through 8.6.2; 8.5.0 through 8.5.8 (LTS); 8.4.0 through 8.4.5; 8.3.0 through 8.3.4; 8.2.0 through 8.2.3; 8.1.0 through 8.1.4; 8.0.0 through 8.0.4; 7.20.0 through 7.20.3; and 7.19.0 through 7.19.21 (LTS).
Our other teams have also developed special rules to counter the new vulnerability. BI.ZONE TDR now has correlation rules to detect post‑exploitation of CVE-2024-21683, while BI.ZONE CPT has been enriched with rules to detect the vulnerability during active scans.