FAQ for CVE-2023-22527
General Information
A critical severity Remote Code Execution (RCE) vulnerability (CVE-2023-22527) was discovered in Confluence Server and Data Center.
This page contains answers to frequently asked questions about this vulnerability. The Atlassian Security Team will update this page whenever new information becomes available.
Is my Confluence instance affected?
This RCE (Remote Code Execution) vulnerability affects out-of-date Confluence Data Center and Server versions released before Dec. 5, 2023 as well as 8.4.5 which no longer receives backported fixes in accordance with our Security Bug Fix Policy. Atlassian recommends patching immediately to the latest version.
Product | Affected Versions |
|---|---|
Confluence Data Center and Server |
|
What You Need To Do
Immediately patch to the latest version
If you are on an out-of-date version, you must immediately patch. Atlassian recommends that you patch each of your affected installations to the latest version available. Please note, the Fixed Versions listed below are no longer the most up-to-date versions and do not protect your instance from other non-critical vulnerabilities as outlined in Atlassian’s January Security Bulletin.
Product | Fixed Versions for CVE-2023-22527 | Latest Versions recommended |
|---|---|---|
Confluence Data Center and Confluence Server |
|
|
Confluence Data Center |
|
|
Note: Starting from Confluence 8.6, new Confluence releases support only Data Center licenses. If you are upgrading to version 8.6 or later, please make sure you have a valid Data Center license.
Is Confluence LTS version 7.19.x affected by CVE-2023-22527?
Based on the assessment performed by our security team, Confluence version 7.19.x is not affected by the critical CVE-2023-22527. However, in light of the Atlassian January Security Bulletin, we highly recommend that you upgrade your Confluence instance to the latest version 7.19.18 release. This will help protect your instance from other non-critical vulnerabilities mentioned in the Atlassian January Security Bulletin.
Are Cloud instances affected?
Atlassian Cloud Instances are not affected by CVE-2023-22527. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not exposed to this vulnerability.
Are other Atlassian products affected by this vulnerability?
Based on current information, other Atlassian products are not affected by CVE-2023-22527. No action is required for other products to address this vulnerability. Please check the Atlassian Security Advisories page for other recent security advisories that might affect other Atlassian products you use.
My instance is NOT connected to the internet, what should I do?
If the Confluence instance cannot be accessed from the internet the risk of exploitation is reduced, but not completely mitigated.
We still strongly recommend patching to the latest version available, as listed on the Confluence Security Advisory page for CVE-2023-22527.
I do not allow anonymous access on my public instance.
This is an unauthenticated remote code execution vulnerability, and therefore still exploitable without anonymous access enabled. Atlassian recommends patching to the latest version available, as listed on the Confluence Security Advisory page for CVE-2023-22527.
My instance isn't exposed to the Internet. Is an upgrade still recommended?
Yes! Instances that are not exposed to the public internet will have a reduced attack surface against CVE-2023-22527, but we strongly recommend patching to the latest version available.
I am running an affected version of Confluence. What should I do until I am able to patch it?
For customers who are unable to immediately patch their Confluence Data Center and Server instances, we recommend the following steps to reduce the risk:
1. Take your system off the internet immediately.
2. Back up the data of the instance to a secure location outside of the Confluence instance.
3. Engage your local security team to review for any potential malicious activity.
For guidance on backing up Confluence, please refer to Production Backup Strategy | Confluence Data Center and Server 8.6 | Atlassian Documentation
Will the fix be included in non-EOL, non-LTS Confluence versions (e.g. 8.0.x)?
For critical-severity vulnerabilities (such as CVE-2023-22527), Atlassian issues Confluence bug-fix releases in line with our Security Bug Fix Policy.
As per our policy, Atlassian will backport fixes for any version that is designated as a Long Term Support (LTS) release that hasn't reached end of life (e.g. Confluence 7.19.x, Confluence 8.5.x).
Additionally, Atlassian will backport critical security fixes to all feature versions released within 6 months of the date the security fix is released. For example, Confluence 8.0.0 was released in Nov 2022. As it has been more than 6 months since that version was released, the fix will not be backported to Confluence 8.0.x.
More information is available on Atlassian's Security Bug Fix Policy document.
Are there any IOCs (Indicators of Compromise) for the exploit regarding CVE-2023-22527?
The possibility of multiple entry points, along with chained attacks, makes it difficult to list all possible indicators of compromise.
Customers must take immediate action to protect their Confluence instances.
As outlined on CVE-2023-22527, it is strongly recommended that vulnerable instances be patched to the latest Long Term Support (LTS) release (or the latest version that contains the fix) immediately.
Does CVE-2023-22527 impact configured application tunnels or application links?
There is no impact on the application tunnel or application links.
What if I don’t have a local security team?
We recommend engaging a specialist security firm for further investigation.