Atlassian has recently announced a patch for a new zero-day vulnerability which allows for privilege escalation on affected versions of Confluence Data Center and Confluence Server. This Cybersecurity Threat Advisory explains the exploitation of this vulnerability, which could allow attackers to create unauthorized administrator accounts with access to confluence instances. Atlassian has advised users of Confluence Data Center and Confluence Server to update to version 8.3.3 or later, 8.4.3 or later, 8.5.2 or later to resolve the vulnerability.
What is the threat?
CVE-2023-22515 is a low-complexity critical privilege escalation vulnerability that does not require user intervention. The full details regarding the exploitation of this vulnerability have not been released; however, Atlassian advises customers who are not able to update the software to block access to /setup/* endpoints on Confluence instances. They have also provided the following indicators of compromise (IOCs):
- unexpected members of the confluence-administrators group
- unexpected newly created user accounts
- requests to /setup/*.action in network access logs
- presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
Why is it noteworthy?
This vulnerability is actively being exploited in attacks on Atlassian customers. The prevalence of Confluence as well as the wealth of internal information usually stored within these services makes the vulnerability an attractive target for attackers.
What is the exposure or risk?
Any data present on the Confluence Server/Data Center is at risk from the vulnerability. This often includes sensitive information internal to the company. Access to this information can give an attacker more to go off when staging a subsequent attack. Successful exploitation can also lead to further compromise via shared username and password combinations.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of CVE-2023-22515:
- Update Confluence Data Center and Confluence Server to version:
- 3.3 or later
- 4.3 or later
- 5.2 or later
- If updating is not possible:
- restrict external access to the affected instances
- block access to the /setup/* endpoints on the affected instances
- If you observe any of the following IOCs in your environment, contact your security administrator immediately:
- unexpected members of the confluence-administrators group
- unexpected newly created user accounts
- requests to /setup/*.action in network access logs
- presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.jira.atlassian.com/browse/CONFSERVER-92475
- https://www.confluence.atlassian.com/kb/faq-for-cve-2023-22515-1295682188.html
- https://www.thehackernews.com/2023/10/atlassian-confluence-hit-by-newly.html
- https://www.bleepingcomputer.com/news/security/atlassian-patches-critical-confluence-zero-day-exploited-in-attacks/
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.