In a recent security update, Atlassian has revealed that its Confluence Data Center and Confluence Server are susceptible to a critical remote code execution (RCE) vulnerability. The flaw, known as CVE-2023-22527, has been rated as critical with a CVSS v3 score of 10.0.

The vulnerability affects versions released prior to December 5, 2023, including out-of-support releases. Attackers can exploit this template injection vulnerability to perform remote code execution on affected Confluence endpoints. However, Atlassian assures users that the most recent supported versions are not affected, as the vulnerability was mitigated during regular updates.

To ensure the security of their instances, Atlassian recommends that customers install the latest version of Confluence. This precautionary measure will protect their systems from non-critical vulnerabilities outlined in Atlassian's January Security Bulletin.

The RCE bug specifically impacts Confluence Data Center and Server versions 8.0.x through 8.5.3. Atlassian has already addressed this flaw in the versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only), which were released in December. However, it remains unclear if the bug was quietly fixed or inadvertently addressed during the regular software development process.

It should be noted that administrators who have updated to more recent releases need not worry about the CVE-2023-22527 exploit. However, Atlassian states that versions 8.4.5 and earlier, which are no longer supported, will not receive a security update under their bug fix policy. Users of these versions are strongly advised to upgrade to an actively supported release as soon as possible.

Atlassian has not provided any specific mitigation or workarounds for this particular security issue. Therefore, the recommended approach is to apply the available updates promptly.

To address concerns and provide further information, Atlassian has created a FAQ page regarding the vulnerability. Notably, Confluence LTS v7.19.x, Cloud Instances hosted by Atlassian, and other Atlassian products are not impacted by CVE-2023-22527.

For those unable to immediately install the available updates, it is advised to take the affected systems offline, back up the data to an external location, and monitor for any suspicious activity. The complexity of this flaw, with multiple entry points and the potential for chained attacks, makes it difficult to pinpoint definitive signs of exploitation.

In conclusion, Atlassian's Confluence Data Center and Server versions prior to December 5, 2023, are susceptible to a critical RCE vulnerability. Users are urged to install the latest version to safeguard their instances from any potential exploits.