This is an advisory only and is not a notification of activity being seen on your network. This advisory is for organizations that use Atlassian Confluence Data Center and Server to support organizational collaboration activities. If your organization does not use this platform, this notification may be discarded.
Summary
Atlassian has released a patch to address a vulnerability noted in publicly accessible Confluence Data Center and Server instances which could allow a remote attacker to create an unauthorized Confluence administrator account. Security researchers have noted that they have seen this being exploited in the wild. Atlassian Cloud deployments are not affected by this vulnerability.
Atlassian recommends that clients patch their instances of Data Center and Server and then perform a review for any indicators of compromise including:
- Unexpected members of the confluence-administrators group
- Unexpected newly created user accounts
- Requests to /setup/*.action in network access logs
- Presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
Atlassian requests that any clients who believe they were compromised, raise a support request as Atlassian assistance is required to recover and protect your instance: https://support.atlassian.com/contact
CVE-2023-22515 – Broken Access Control Vulnerability in Confluence Data Center and Server
CVSSv3: 9.8
Affected Products/Versions
Versions prior to 8.0.0 are not affected by this vulnerability.
Atlassian cloud deployments are not affected by this vulnerability.
Affected versions:8.0.0
- 8.0.1
- 8.0.2
- 8.0.3
- 8.0.4
- 8.1.0
- 8.1.1
- 8.1.3
- 8.1.4
- 8.2.0
- 8.2.1
- 8.2.2
- 8.2.3
- 8.3.0
- 8.3.1
- 8.3.2
- 8.4.0
- 8.4.1
- 8.4.2
- 8.5.0
- 8.5.1
Mitigations
Customers with Confluence Data Center and Server instances accessible to the public internet including with user authentication, should restrict external network access until you can upgrade.
If you cannot restrict external network access before your upgrade, apply the following interim measures to mitigate known attack vectors by blocking access to the /setup/* endpoints on Confluence instances. This is possible at the network layer or by making the following changes to Confluence configuration files:
****************************************************************************
On each node, modify /<confluence-install-dir>/confluence/WEB-INF/web.xml and add the following block of code (just before the </web-app> tag at the end of the file):
<security-constraint>
<web-resource-collection>
<url-pattern>/setup/*</url-pattern>
<http-method-omission>*</http-method-omission>
</web-resource-collection>
<auth-constraint />
</security-constraint>
Restart Confluence.
****************************************************************************
Upgrade to a fixed version:
- 8.3.3 or later
- 8.4.3 or later
- 8.5.2 (Long Term Support release) or later
Additional Resources
https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html
https://nvd.nist.gov/vuln/detail/CVE-2023-22515
https://www.securityweek.com/microsoft-blames-nation-state-threat-actor-for-confluence-zero-day-attacks/
