Atlassian Discloses Critical Vulnerability in Confluence Data Center & Server

Image source: Shutterstock

Customers vulnerable to “significant data loss” if attackers exploit CVE-2023-22518, company CISO warns.

Atlassian wants customers of its Confluence Data Center and Server to immediately upgrade to new versions of the software the company has just released to protect against a critical vulnerability in the collaboration platform.

All versions affected: The vulnerability tracked as CVE-2023-22518 affects ALL versions of Confluence Data enter and Server and gives attackers a way to steal data.   The vulnerability does NOT impact customers of Atlassian’s cloud hosted services.

Easily exploitable: Atlassian had assigned the vulnerability a severity score of 9. 1 out of a maximum possible 10 on the CVSS scale. Based on its internal assessment of the flaw the company has concluded that the vulnerability is remotely exploitable, involves low attack complexity and requires no special user privileges or user interaction to exploit.

Significant data loss threat: “We have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker,” Atlassian CISO Bala Sathiamurthy said in a statement that accompanied the company’s vulnerability disclosure October 30. So far, Atlassian has observed no signs of attackers actively exploiting the flaw. “However, customers must take immediate action to protect their instances,” Sathiamurthy said.

Key takeaways
·       Follow the company’s advice: Patch now or remove Atlassian instances from the Internet until you can patch.
·      Atlassian is a popular target for attackers. The last big flaw the company disclosed in Confluence Data Center and Server (CVE-2023-22515) was a zero-day bug that a nation-state actor was actively exploiting even before Atlassian disclosed the flaw and issued a fix for it on October 5, 2023. The widespread exploitation of the bug prompted the US Cybersecurity and Infrastructure Security Agency, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) to issue a joint advisory urging organizations to patch immediately or take their servers offline.

Update now: The company wants customers to immediately update to one of the following fixes versions of the software. 7.19.16 or later; 8.3.4 or later; 8.4.4 or later; 8.5.3 or later. Atlassian wants customers that cannot immediately patch to back up their systems and remove their instances from the Internet until they can path. The advice applies even to Internet accessible Atlassian instances that require user authentication.

Atlassian has not disclosed how it discovered the bug. But as background, the company has pretty robust practices in place—including a bug bounty program—to try and identify bugs in its products. Between July 2023 and Sept 2023, some 196 individual security researchers participated in Atlassian’s bug bounty program. They reported a total of 375 bugs for review to the company of which 131 turned out to be valid bugs.