A zero-day vulnerability has been discovered in the widely adopted Atlassian Confluence software, which could potentially allow hackers to create admin accounts on Confluence servers and carry out malicious activities. The vulnerability, known as CVE-2023-22515, has a severity rating of 10.0 (Critical) according to Atlassian.
Reports indicate that this vulnerability is actively being exploited by attackers in the wild. Atlassian customers have reported the issue, and the company has acknowledged the seriousness of the problem. At this time, Atlassian has not disclosed the specific details of the vulnerability, but it is believed to affect publicly accessible Confluence data centers and servers. Hackers have been able to create unauthorized administrator accounts and gain access to Confluence instances.
Atlassian has issued a security advisory, stating that instances on the public internet are particularly vulnerable as this vulnerability can be exploited anonymously. The company has also provided information regarding the affected products and the versions in which the vulnerability exists. Confluence Data Center and Confluence Server versions ranging from 8.0.0 to 8.5.1 have been identified as vulnerable. Atlassian has released fixed versions starting from 8.3.3, 8.4.3, and 8.5.2 (Long Term Support release) and later.
To mitigate the risk associated with this vulnerability, Atlassian has recommended blocking access to the /setup/* endpoints on Confluence instances. This can be achieved by modifying the confluence/WEB-INF/web.xml file and adding a specific block of code. Additionally, it is necessary to restart Confluence after making these changes.
To detect any potential threats, Atlassian advises users to check their Confluence instances for indicators of compromise. This includes looking for unexpected members in the confluence-administrators group, newly created user accounts, requests to /setup/*.action in network access logs, and the presence of /setup/setupadministrator.action in exception messages in the Confluence home directory. These indicators may suggest that the vulnerability has been exploited.
Further information and guidance on this vulnerability can be found in the Atlassian security advisory.
It is essential for organizations using Atlassian Confluence to take immediate action to protect their systems and data. Regularly updating software and applying patches is crucial for mitigating the risk of zero-day vulnerabilities. Implementing effective security measures, such as email security solutions with AI-powered capabilities, can also help defend against email-based threats, which are often used as an entry point for attacks.
In conclusion, the discovery of this zero-day vulnerability in Atlassian Confluence highlights the ongoing challenge of protecting software systems from sophisticated attacks. It is crucial for organizations and users to stay vigilant and take proactive steps to secure their systems and data.