CVE-2023-22515: Zero-Day Vulnerability in Atlassian Confluence Data Center and Server Exploited in the Wild


CVE-2023-22515: Zero-Day Vulnerability in Atlassian Confluence Data Center and Server Exploited in the Wild

A critical zero-day vulnerability in Atlassian Confluence Data Center and Server has been exploited in the wild in a limited number of cases. Organizations should patch or apply the mitigation steps as soon as possible.

Background

On October 4, Atlassian released a security advisory for CVE-2023-22515, a critical severity zero-day privilege escalation vulnerability in Confluence Data Center and Server that Atlassian says is “a previously unknown vulnerability” that has been exploited against a limited set of customers.

Analysis

CVE-2023-22515 is a critical privilege escalation vulnerability affecting on-premise Atlassian Confluence Data Center and Server products. Successful exploitation could allow for the creation of administrator accounts that can be used to access Confluence instances. At the time this blog was published, no CVSSv3 score was included in the advisory, but according to Atlassian’s severity level ratings, this score would be in the range of 9.0 to 10.0.

While limited information is available in the security advisory and dedicated FAQ page from Atlassian, the mitigation steps do reveal the endpoint that is impacted. According to the mitigation steps, blocking network access to the /setup/* endpoints will mitigate the threat of exploitation of this vulnerability. Additionally, the advisory notes that the customers who reported being attacked by this vulnerability had their Confluence servers publicly accessible.

Atlassian confirmed that cloud instances (Confluence sites accessed with a atlassian.net domain) are not affected by this vulnerability.

Confluence remains a target for threat actors

Atlassian Confluence is a popular target for a variety of cybercriminals. In June of 2022, Atlassian published an advisory for CVE-2022-26134, another critical zero-day vulnerability affecting Confluence Server and Data Center. The remote code execution vulnerability was exploited by multiple threat actors who appear to have been operating out of China. When that advisory was published on June 2, 2022, no patches were available, only mitigation steps. However a day later, patches were available along with a number of proof-of-concept scripts.

Proof of concept

As of October 4, no public proof-of-concept code was found for CVE-2023-22515.

Solution

Atlassian has released patches for CVE-2023-22515 and provides a list of affected versions in its advisory:

Affected Versions Fixed Versions
Versions prior to 8.0.0 Not affected
8.0.0 – 8.0.3 Upgrade to a fixed version below
8.1.0, 8.1.3, 8.1.4 Upgrade to a fixed version below
8.2.0 – 8.2.3 Upgrade to a fixed version below
8.3.0 – 8.3.2 8.3.3 or later
8.4.0 – 8.4.2 8.4.3 or later
8.5.0, 8.5.1 8.5.2 (Long Term Support release) or later

In addition, Atlassian provides mitigation steps that can be applied if your organization cannot immediately patch this issue. We strongly recommend that you apply the provided patch as soon as possible to reduce your risk to this vulnerability.

As part of its FAQ document, Atlassian outlines some indicators of potential compromise which can aid organizations in determining if they may have been impacted by this vulnerability. These indicators of compromise are:

  • unexpected members of the confluence-administrator group
  • unexpected newly created user accounts
  • requests to /setup/*.action in network access logs
  • presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory

Identifying affected systems

A list of Tenable plugins to identify this vulnerability can be located on the individual CVE page for CVE-2023-22515 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.



Source link