A recently disclosed vulnerability in Atlassian Confluence Server and Confluence Data Center has raised concerns due to evidence of exploitation in the wild. The flaw, known as CVE-2023-22515, affects on-premises instances of the platforms, specifically versions 8.0.0 and later.
Atlassian, the company behind Confluence, released an advisory on October 4 regarding the vulnerability. They stated that a few customers had reported the issue, claiming that external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence instances. This allowed unauthorized individuals to create Confluence administrator accounts and gain access to sensitive information.
The severity of the vulnerability has not been officially scored using the Common Vulnerability Scoring System (CVSSv3). However, Atlassian’s internal severity level ratings suggest that the score would fall in the range of 9 to 10, indicating a critical security risk.
The impact of this vulnerability is significant as many organizations rely on Confluence for project management and team collaboration. This means that sensitive data related to internal projects, customers, and partners could be compromised.
What sets this vulnerability apart is its critical rating as a privilege escalation issue. Privilege escalation vulnerabilities are typically not classified as critical. According to Caitlin Condon, a researcher at Rapid7, it is unusual to assign such a critical rating to this type of vulnerability. However, the Atlassian advisory clarifies that instances on the public Internet are particularly at risk and that the vulnerability can be exploited anonymously. This implies that the flaw can be remotely exploited, which is a rare circumstance. Condon suggests that a vulnerability of this kind is usually associated with authentication bypass or remote code execution, rather than privilege escalation alone. She also mentions that the flaw could potentially enable a regular user account to elevate to administrator status, although the default setting of Confluence disables new user sign-ups without approval.
To address this vulnerability, Atlassian has released a patch for affected versions. It is crucial for administrators to install the patch, which includes the following fixed versions: 8.3.3 or later, 8.4.3 or later, and 8.5.2 (Long Term Support release) or later. Atlassian recommends restricting external network access to vulnerable systems until the patch can be installed. They also advise administrators to check all affected Confluence instances for indicators of compromise, as listed in the advisory.
Given Atlassian’s history as a target for cyber attackers, it is essential to prioritize patching. Back in June 2022, Atlassian disclosed another critical zero-day vulnerability affecting Confluence Server and Data Center (CVE-2022-26134), which involved a more typical remote code execution flaw. As a result, there were numerous exploitation attempts daily, with proof-of-concept scripts and mass exploitation spreading rapidly.
In conclusion, organizations using Atlassian Confluence Server and Confluence Data Center should take immediate action to protect their systems from the CVE-2023-22515 vulnerability. Installing the provided patch and following Atlassian’s recommendations to restrict network access and check for indicators of compromise will help mitigate the risk of unauthorized access and potential data breaches.