This Cybersecurity Threat Advisory highlights a new security flaw that has recently been discovered in Atlassian’s Confluence Data Center and Server, which could result in significant data loss if exploited. Tracked as CVE-2023-22518, this vulnerability is rated 9.1 out of a maximum of 10 on the CVSS scoring system. It has been described by Atlassian as an “improper authorization vulnerability.”
What is the threat?
As of now, no further details about the flaw are available. This is presumably intentional on Atlassian’s part to avoid giving threat actors any windows of opportunity. So far, there have been no signs of active exploitation in the wild.
Why is it noteworthy?
Vulnerable Atlassian Confluence instances are a very common target amongst bad actors. Earlier in October, for example, a broken access control flaw known as CVE-2023-22515, was exploited by threat actors. Many different zero-day and n-day vulnerabilities have also been regularly exploited by a wide variety of attackers. For context, zero-day vulnerabilities are flaws in a piece of software that is unknown, while n-day vulnerabilities are flaws that have pre-existing patches available.
What is the exposure or risk?
All versions of Confluence Data Center and Server are at risk of being affected by this vulnerability. Because Confluence sites are only accessible via an atlassian.net domain, there is no impact to confidentiality because attackers are unable to exfiltrate data from that domain. Versions outside of the support window, including those which have reached the end of their services (or End of Life, when manufacturers no longer support that type of hardware) may also be affected.
What are the recommendations?
Barracuda MSP recommends taking the following actions to limit the impact of Atlassian’s confluence vulnerability:
- Users should patch each of their affected installations to one of four fixed versions; 7.19.16; 8.3.4; 8.4.4; 8.5.3; or 8.6.1, or later.
- All publicly accessible on-premises instances should be upgraded immediately.
- Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until they are patched.
- Admins that are currently unable to patch should back up their instances and temporarily remove them from the internet.
References
- CVE-2023-22518 – Improper Authorization Vulnerability In Confluence Data Center and Confluence Server | Atlassian Support | Atlassian Documentation
- Atlassian patches critical Confluence bug, urges for immediate action (CVE-2023-22518) – Help Net Security
- Atlassian Warns of New Critical Confluence Vulnerability Threatening Data Loss (thehackernews.com)
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.