Image Source: Shutterstock
Several customers have reported attackers exploiting the vulnerability to create unauthorized Confluence administrator accounts and to access Confluence instances, company says.
Atlassian wants organizations using its on-premises Confluence Data Center and Server content collaboration software to immediately update to new versions that the company released today to address a critical privilege escalation vulnerability that attackers are already actively exploiting.
Under Active Attack
The zero-day vulnerability, assigned as CVE-2023-22515, affects versions of Confluence Data Center and Confluence Server from 8.00 through 8.5.1. Atlassian recommends organizations using affected versions to upgrade to Confluence Data Center and Confluence Server versions 8.3.3 or later; 8.4.3 or later and 8.5.2 or later. Organizations can download the latest version from Atlassian’s download center here.
Those that cannot upgrade immediately should, as a temporary mitigation measure, restrict external network access to the affected instance, Atlassian advised. The company’s mitigation guidance section also provides details on how organizations can block access to the /setup/*
endpoints on affected Confluence instances to mitigate the threat.
“Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances,” the vendor said. Atlassian noted that a handful of customers had notified the company about attackers exploiting the flaw to create unauthorized Confluence admin accounts and to illegally access Confluence accounts.
“Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously,” Atlassian warned. Customers of Atlassian Cloud are not affected by the vulnerability.
Cause Unknown
Atlassian has not specified the cause for the vulnerability or where precisely it is present in Confluence implementations. But language in Atlassian’s advisory implies that attackers can exploit the flaw remotely, Rapid7’s head of threat research Caitlin Condon said in a blog Oct. 4. Remote code execution (RCE) issues are typically associated with authentication bypass or RCE chains, rather than with a privilege escalation bug, Condon noted. “It’s possible that the vulnerability could allow a regular user account to elevate to admin — notably, Confluence allows for new user sign-ups with no approval, but this feature is disabled by default,” she said.
Organizations using affected Atlassian Confluence instances would do well to heed the company’s advice and patch or mitigate against the threat as soon as possible. Last year, when Atlassian announced a similar zero-day bug in Confluence Server (CVE-2022-26134), attackers jumped on it quickly to distribute ransomware, cryptominers and other malware.