Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Is Confluence vulnerable to the Apache Struts 2 CVE-2023-50164 ?

Justin Roysdon
Justin Roysdon December 19, 2023

I see that in Confluence 8.0 you moved to Apache Struts 2.

Is Confluence vulnerable to this RCE and do you have a mitigation until you release a patch?

https://www.cisa.gov/news-events/alerts/2023/12/12/apache-software-foundation-updates-struts-2

https://www.akamai.com/blog/security-research/apache-struts-cve-exploitation-attempts

https://nvd.nist.gov/vuln/detail/CVE-2023-50164

 

Confluence moves to Struts 2 https://confluence.atlassian.com/doc/struts-2-upgrade-1155473773.html

Answer
Watch
Like Be the first to like this
1549 views

3 answers

1 vote
Justin Roysdon
Justin Roysdon December 22, 2023

https://www.paloaltonetworks.com/blog/prisma-cloud/cve-2023-50164-custom-rules/

More details.

Would be nice to see a public indication from Atlassian that they have confirmed Confluence is not vulnerable to this.

View More Comments
Kensuke Karukomi (軽込 健介)
Kensuke Karukomi (軽込 健介)
Contributor
December 26, 2023

Agreed. 

I'm annoyed with Confluence and CVE-2023-50164.

I asked Atlassian support to confirm whether CVE-2023-50164 affects to Confluence 8.7.1. 
The answer is: CVE-2023-50164 doesn't affect to Confluence 8.7.1. 


However, there is no detail information and official statement about CVE-2023-50164 by Atlassian so far. Hence, it's difficult for me to explain this to Information Security dept.

Like
Reply
1 vote
Justin Roysdon
Justin Roysdon December 19, 2023

The affected version appears to be installed in the latest Confluence 8.4.14.

 

# find / -name \*struts*.jar

/opt/atlassian/confluence/confluence/WEB-INF/lib/com.atlassian.struts2_struts-compat-6.2.0.jar

/opt/atlassian/confluence/confluence/WEB-INF/lib/com.atlassian.struts2_struts-support-3.0.1.jar

/opt/atlassian/confluence/confluence/WEB-INF/lib/org.apache.struts_struts2-core-6.3.0-atlassian-8.jar

/opt/atlassian/confluence/confluence/WEB-INF/lib/org.apache.struts_struts2-velocity-plugin-6.3.0-atlassian-8.jar

View More Comments
Alex Medved _ConfiForms_
Alex Medved _ConfiForms_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 20, 2023

Not trying to tell that org.apache.struts_struts2-core-6.3.0-atlassian-8 includes a fix to CVE-2023-50164

But org.apache.struts_struts2-core-6.3.0-atlassian-8 is different to pure org.apache.struts_struts2-core-6.3.0

So, I guess only Atlassian team could confirm that

Alex

Like
Justin Roysdon
Justin Roysdon December 22, 2023

They may have added some custom things to it.  But that was released before this vulnerability was announced.  So, I'm not super confident this has been patched.

 

There may be some other reason why it does not impact Confluence though.

 

Atlassian could confirm it.  Or some other organization that has tried the Proof of Concept (PoC) against it.

Like
Justin Roysdon
Justin Roysdon December 22, 2023

I wouldn't be surprised to see it in their next patch cycle Jan 4-6 ish.

Like
Reply
1 vote
Justin Roysdon
Justin Roysdon December 19, 2023

See here for move to Struts 2 https://confluence.atlassian.com/doc/struts-2-upgrade-1155473773.html

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events