Learn CVE-2023-22515 - Broken Access Control Vulnerability

Whats CVE-2023-22515?

CVE-2023-22515 is Vulnerability in confluence Server and confluence data center, which allow for unauthorized Access. The Vulnerability is categorized as a broken control issue. An attacker can exploit the vulnerability to create an additional account with full administrative privileges. The vulnerability works by reenabling setup process for confluence server, so attacker can make new user with full administrative privileges. To understabd why this vulnerability can occurs, first we need to understand about setter and getter method in java.

What is getter and setter in java

In Java, getter and setter are methods used to get and set or update variable or attribute from instance. a getter method returns its value while a setter method sets or updates is value. getter and setters are also known as accessors and mutators.

public class Vehicle {
    private String color;

    // getter method
    public String getColor(){
        return color;
    }

    // setter method
    public void setColor(String c) {
        this.color = c;
    }
}

The getter method returns the value of the attribute, The setter method takes a parameter and assigns it to the attribute. The getter and setter have been defined, and then we can use it in our example:

public static void main(String[] args) {
    Vehicle v1 = new Vehicle();
    // setter method
    v1.setColor("Red);
    // getter method
    System.out.println(v1.getColor());
}

// Output is "Red"

How the vulnerability works?

When running confluence for the first time, you'll go through initial setup which allow you to create an administrative account. If you try to access the initial setup page again at http://ip_address:8090/setup/ you won't be able to go through the setup again but will be greeted with a message stating that the setup process is already complete.

Using the vulnerability you can go through the step of creating a new administrator all over again. This can be happen becacuse confluence is built using apache struct framework, which depends onthe XWork package, XWork allow you to define Action in the form of Java class. Each Action can be invoked through URL, and the corresponding Java class will handle the request, do whatever the Action required and emit a response.

When we access the url of the confluence server (http://ip_address:8090/) , we will be redirected to the URL which call the Action bound to a java class to handle login(http://ip_address:8090/login.action), because action corresponding to their java class we can also calling getter and setter method using url with HTTP parameter. This url will get to the attribute we want to get/set.

The exploit takes advantage of the ServerinfoAction. Which can be used to build a chain of getter/setters from it to set the configuration parameter that turns the initial setup to enabled or disabled. The ServerinfoAction class is extended from ConfluenceActionSupport class which mean it will inherit all of its methods. one of the method is a getter that return a BootstarpStatusProvider object:

public class ConfluenceActionSupport extends ActionSupport implements LocaleProvider, WebInterface, MessageHolderAware {
  public BootstrapStatusProvider getBootstrapStatusProvider() {
    if (this.bootstrapStatusProvider == null)
      this.bootstrapStatusProvider = BootstrapStatusProviderImpl.getInstance(); 
    return this.bootstrapStatusProvider;
  }
}

And then we can use BootstrapStatusProvider class because it has another getter method we can use to retrieve an ApplicationConfiguration object.

public class BootstrapStatusProviderImpl implements BootstrapStatusProvider, BootstrapManagerInternal {
  public ApplicationConfiguration getApplicationConfig() {
    return this.delegate.getApplicationConfig();
  }
}

And then we can used the ApplicationConfig class, which contain attribute that tells confluence server if the initial setp has been finish or not. This attribute can be modified by using a setter method in the ApplicationConfig class.

public class ApplicationConfig implements ApplicationConfiguration {
  public synchronized void setSetupComplete(boolean setupComplete) {
    this.setupComplete = setupComplete;
  }  
}

So, if we call

getBootstrapStatusProvider().getApplicationConfig().setSetupComplete(false)

This will effectively reenable initial setup. Putting it all together, we can call that chain of getters/setters by accesing this url:

http://ip_address:8090/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false

then we can create administrator account by accesing this url:

http://ip_address:8090/setup/setupadministrator-start.action

Conclusion

CVE-2023-22515 is a critical vulnerability in Confluence Server and Data Center, categorized as a broken access control issue. This vulnerability allows an attacker to gain unauthorized administrative access by exploiting improper input validation in the XWork framework, which Confluence relies on. By manipulating HTTP parameters to invoke a sequence of getter and setter methods, an attacker can re-enable the initial setup process of Confluence, thereby creating a new administrative account.

Understanding the Java getter and setter methods is crucial to grasp how this exploit works. Getters and setters allow access to private attributes in Java classes. The vulnerability leverages these methods in Confluence's implementation, specifically targeting the ServerinfoAction class and its inherited methods to manipulate the application's configuration state.

By chaining getter and setter calls through specially crafted URLs, the attacker can alter the setupComplete attribute, re-triggering the setup process. This enables the creation of a new administrator account, bypassing existing security measures.