Atlassian has recently addressed a critical zero-day vulnerability, known as CVE-2023-22515, that affects Confluence Data Center and Server instances.
This vulnerability is remotely exploitable and allows external attackers to create unauthorized Confluence administrator accounts and gain access to Confluence servers.
It’s important to note that this vulnerability only impacts Confluence versions 8.0.0 and later. Confluence sites accessed through an atlassian.net domain are not vulnerable to this issue.
Atlassian became aware of the vulnerability through reports from a few customers. The following versions of Confluence Data Center and Server have been updated to address the issue:
· 8.3.3 or later.
· 8.4.3 or later.
· 8.5.2 (Long Term Support release) or later.
However, Atlassian has not disclosed specific details about the nature and scale of the exploitation or the root cause of the vulnerability.
For customers who are unable to apply the updates, Atlassian advises restricting external network access to the affected instances. Additionally, known attack vectors for this vulnerability can be mitigated by blocking access to the /setup/* endpoints on Confluence instances. This can be done at the network layer or by modifying Confluence configuration files.
Atlassian has also provided indicators of compromise (IoCs) to help determine if an on-premise instance has potentially been breached. These indicators include unexpected members of the confluence-administrator group, unexpected newly created user accounts, requests to /setup/*.action in network access logs, and the presence of /setup/setupadministrator.action in an exception message in the atlassian-confluence-security.log file in the Confluence home directory.
If it is determined that a Confluence Server/DC instance has been compromised, Atlassian advises immediately shutting down and disconnecting the server from the network/Internet. Additionally, any other systems that potentially share a user base or have common username/password combinations with the compromised system should also be shut down.
While privilege escalation vulnerabilities typically have a critical severity rating, it is unusual for them to carry this rating on their own. Rapid7’s Caitlin Condon suggests that such vulnerabilities are usually associated with an authentication bypass or remote code execution chain. Given the history of threat actors exploiting flaws in Atlassian Confluence instances, it is highly recommended that customers update to a fixed version or implement appropriate mitigations as soon as possible.
CyberSec84 | Cybersecurity news. 
Leave a comment