In this week’s digest, we will discuss the following:
- Atlassian Confluence Data Center & Server Remote Code Execution
- Adobe ColdFusion Remote Code Execution
- OpenSSH Forwarded ssh-agent Remote Code Execution
- AMD “Zenbleed”
CVE-2023-22505 & CVE-2023-22508: Atlassian Confluence Data Center & Server Remote Code Execution
Confluence, developed by the Australian software company Atlassian, is a web-based corporate wiki designed for collaboration and knowledge sharing within enterprises. Initially released in 2004 and built using Java, Confluence has evolved into a versatile platform that facilitates seamless teamwork and documentation processes. With its built-in Tomcat web server and HSQL database, Confluence Standalone offers a self-contained solution while also accommodating various other databases. Atlassian offers Confluence as enterprise software, allowing organizations to choose between on-premises deployment or a Software-as-a-Service.
Two high-severity Remote Code Execution (RCE) vulnerabilities have been identified in Confluence Data Center & Server.
The first vulnerability, known as CVE-2023-22505, was introduced in version 8.0.0. It holds a CVSS Score of 8, according to Confluence’s assessment, enabling an authenticated attacker to execute arbitrary code. This vulnerability poses a high risk to confidentiality, integrity, and availability, making it a critical concern. Additionally, the attacker can exploit this flaw without requiring any user interaction.
The second vulnerability, labeled CVE-2023-22508, was introduced in version 6.1.0. With a CVSS Score of 8.5 according to Confluence’s assessment, it shares similar characteristics with the previous one. An authenticated attacker can execute arbitrary code without user interaction with a high impact on confidentiality, integrity, and availability.
- Upgrade your instance to the latest version of Confluence Data Center & Server.
- If you cannot upgrade to the latest version, upgrade to one of the fixed versions, specifically 8.3.2 or 8.4.0.
- Upgrade your instance to a Confluence feature release equal to or greater than 8.2.0 (e.g., 8.2, 8.2, 8.4, etc.).
- Alternatively, upgrade to a Confluence 7.19 LTS bugfix release equal to or greater than 7.19.8 (e.g., 7.19.8, 7.19.9, 7.19.10, 7.19.11, etc.) or a Confluence 7.13 LTS bugfix release equal to or greater than 7.13.20 (Release available early August).
CVE-2023-38205: Adobe ColdFusion Access Control Bypass
Adobe ColdFusion is a versatile Java-based web application development platform. It enables developers to create dynamic and data-driven web applications by seamlessly integrating server-side logic and database interactions into web pages using ColdFusion Markup Language (CFML) mixed with HTML.
This vulnerability, tracked as CVE-2023-38205 is a patch bypass for fixing a previously patched vulnerability, CVE-2023-29298 addressed in Adobe’s Security Bulletin. The initial patch released on July 11, 2023, for CVE-2023-29298, did not successfully fix the issue and could be bypassed by an attacker. According to Rapid7, the fix for the vulnerability was correct in addressing a valid URL but could still be bypassed by supplying an invalid URL which would still bypass the fix and still allow access to the expected endpoint without a valid URL path.
The following versions of ColdFusion are vulnerable:
- Adobe ColdFusion 2023 Update 2 and earlier versions
- Adobe ColdFusion 2021 Update 8 and earlier versions
- Adobe ColdFusion 2018 Update 18 and earlier versions
Adobe has released a patch for mitigating this vulnerability on Jul 19, 2023, in this advisory. The patches are as follows:
- Update 3 for ColdFusion 2023
- Update 9 for ColdFusion 2021
- Update 19 for ColdFusion 2018
CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent
OpenSSH’s forwarded ssh-agent is a functionality that enables users to securely forward their ssh-agent from one machine to another during SSH connections. The ssh-agent manages private keys for SSH public key authentication. Through agent forwarding, the user’s local ssh-agent can be utilized to authenticate connections to remote machines, eliminating the need to store private keys on those systems.
According to the advisory published by researchers at Qualys, anyone who logs into a host controlled by the attacker using ssh-agent forwarding can potentially open themselves up to remote code execution by the attacker to the machine (base host) from which they logged into the attacker-controlled host.
The vulnerability stems from OpenSSH agent’s handling of the forwarded shared libraries on the remote host. When a base host’s ssh-agent is compiled with the ENABLE_PKCS11 flag — which is the default — the remote host can load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib/* of the base host. This behavior, however, does not play well with many shared libraries, which may have unintended side effects. By chaining together such side effects, researchers could gain remote code execution on the base host. However, the researchers’ scope was limited to Ubuntu Desktop 22.04 and 21.10.
- Use an updated version of the OpenSSH library: 9.3p2
- Exploitation of the vulnerability can be prevented by not using the ssh-agent forwarding option to connect to the hosts that are not trusted by the user.
CVE-2023-20593: Cross-Process Information Leak aka “Zenbleed”
On July 24, 2023, AMD disclosed a security vulnerability (CVE-2023-20593) that affected a subset of Akamai cloud computing hosts running EPYC “Rome” CPUs. Please find more information in our recent blog post about Zenbleed.