Patch Now: Atlassian Discloses Zero-Day Bug in Confluence Data Center and Server

Image Source: Shutterstock

Several customers have reported attackers exploiting the vulnerability to create unauthorized Confluence administrator accounts and to access Confluence instances, company says.

Atlassian wants organizations using its on-premises Confluence Data Center and Server content collaboration software to immediately update to new versions that the company released today to address a critical privilege escalation vulnerability that attackers are already actively exploiting.

Under Active Attack

The zero-day vulnerability, assigned as CVE-2023-22515, affects versions of Confluence Data Center and Confluence Server from 8.00 through 8.5.1.  Atlassian recommends organizations using affected versions to upgrade to Confluence Data Center and Confluence Server versions 8.3.3 or later; 8.4.3 or later and 8.5.2 or later. Organizations can download the latest version from Atlassian’s download center here.

Those that cannot upgrade immediately should, as a temporary mitigation measure, restrict external network access to the affected instance, Atlassian advised.  The company’s mitigation guidance section also provides details on how organizations can block access to the /setup/* endpoints on affected Confluence instances to mitigate the threat.

“Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances,” the vendor said. Atlassian noted that a handful of customers had notified the company about attackers exploiting the flaw to create unauthorized Confluence admin accounts and to illegally access Confluence accounts.

Quick Take
A privilege vulnerability (CVE-2023-22515) is present in versions 8.00 through 8.5.1 of Atlassian Confluence Server and Atlassian Data Center.

Attackers are already actively exploiting the flaw. Atlassian customers have reported instances where threat actors leveraged the flaw to created unauthorized Confluence admin accounts and to access Confluence instances illegally.

Organizations using affected versions of the software should immediately update to 8.3.3 or later; 8.4.3 or later and 8.5.2 or later of Confluence Data Center and Confluence Server. Here’s where you can get the updated software.
 
If you can’t update immediately implement the recommendations in the mitigation guidance section in Atlassian’s advisory.  
 
 

“Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously,” Atlassian warned. Customers of Atlassian Cloud are not affected by the vulnerability.

Cause Unknown

Atlassian has not specified the cause for the vulnerability or where precisely it is present in Confluence implementations. But language in Atlassian’s advisory implies that attackers can exploit the flaw remotely, Rapid7’s head of threat research Caitlin Condon said in a blog Oct. 4. Remote code execution (RCE) issues are typically associated with authentication bypass or RCE chains, rather than with a privilege escalation bug, Condon noted.  “It’s possible that the vulnerability could allow a regular user account to elevate to admin — notably, Confluence allows for new user sign-ups with no approval, but this feature is disabled by default,” she said.

Organizations using affected Atlassian Confluence instances would do well to heed the company’s advice and patch or mitigate against the threat as soon as possible. Last year, when Atlassian announced a similar zero-day bug in Confluence Server (CVE-2022-26134), attackers jumped on it quickly to distribute ransomware, cryptominers and other malware.