THE THREAT
Atlassian has unveiled details concerning an actively exploited privilege escalation vulnerability; the company was made aware of the issue after multiple incident reports from Atlassian customers.
The vulnerability, CVE-2023-22515 (CVSS: 10), is found in the Confluence Data Center and Server. Threat actors can exploit this vulnerability to create unauthorized Confluence administrator accounts and gain access to Confluence instances.
This is an on-prem/self-managed vulnerability, and the Atlassian advisory states, “If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.” Threat actors exploited the vulnerability before security patches were released. Furthermore, limited technical details on the vulnerability and impacted products are now public. Given these circumstances, organizations must ensure that impacted devices receive the necessary security patches immediately.
What we’re doing about it
- eSentire Managed Vulnerability Service (MVS) will add the relevant plugins to identify CVE-2023-22515 as they become available
- The eSentire Threat Intelligence team is actively tracking this vulnerability for additional details and detection opportunities
What you should do about it
- Ensure that your Confluence Data Center and Server are updated with the latest security patches
- Specifically, Confluence Data Center and Server versions should be 8.3.3 or later, 8.4.3 or later, and 8.5.2 (Long Term Support release) or later
- Engage with Atlassian or your software vendors to confirm if your Confluence site is vulnerable and if security patches have been rolled out
- If patching is not immediately possible, Atlassian recommends restricting external access to vulnerable instances OR block access to /setup/* endpoints on Confluence instances
- Review vulnerable instances for signs of compromise such as:
- Recent and unexpected additions to the confluence administrator group
- Newly created user accounts
- Unexpected requests to /setup/*.action in network access logs
- The presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
Additional information
On October 4th, 2023, Atlassian released an advisory for their Confluence product. Atlassian has proactively addressed the issue, but the vulnerability's exploitation, before the release of security patches, is concerning.
The Confluence platform, developed by Atlassian, is used in many organizations for documentation and collaboration. Given its widespread use, the eSentire Threat Intelligence team assesses attacks related to CVE-2023-22515 will continue to be exploited in the future. Additionally, Atlassian-hosted instances have been patched and are not impacted, as of October 4th. Atlassian recommends that on-premises Confluence Server and Data Center customers update to a fixed version immediately or else implement mitigations. The advisory notes, "Instances on the public internet are particularly at risk, as this vulnerability is exploitable ‘anonymously’.”
Atlassian has acknowledged the exploitation but hasn't disclosed the specifics of the attacks. There's public speculation regarding the potential culprits, but no concrete evidence has been presented. The vulnerability's public details, combined with the attention it has garnered, suggest that other threat groups might exploit it in the near future.
References:
[1] https://jira.atlassian.com/browse/CONFSERVER-92475
[2] https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html
