Another critical Confluence vulnerability - patch ASAP
Take action: If you are still running Confluence Server or Datacenter, lock it from the Internet and patch immediately. And start considering shutting it down in the medium term, since Atlassian stops support for the server version of Confluence on February 14th, 2024.
Atlassian has issued an urgent warning to enterprise administrators regarding a critical security vulnerability in its on-premise Confluence Data Center and Server products.
The flaw is tracked as CVE-2023-22518 (CVSS score 9.1, rescored to 10) - is an improper authorization vulnerability and can result in significant data loss if exploited by an unauthenticated attacker. No detailed information has been provided about the nature of the exploit.
Update - as of 7th of November, active ransomware and other cyberattacks against unpatched Atlassian Confluence Data Center and Server technology have driven up the CVSS score this vulnerability from its original 9.1 to 10.
The score has been raised "due to a change in scope of the attack," according to the Atlassian advisory, which added there have now been observed active exploits against against the bug, including ransomware
The flaw affects all versions of Confluence Data Center and Server prior to versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1.
Versions that have reached their End of Life might also be vulnerable.
Atlassian has recommended upgrading to the patched versions or later. It has also clarified that Atlassian Cloud sites, particularly those accessed via the atlassian.net domain, are not affected by this vulnerability.
As a precautionary measure, despite no reports of active exploitation, the company advises that all publicly accessible on-prem instances be upgraded immediately. If administrators are unable to patch their systems promptly, they should back up their instance and temporarily remove it from the internet or restrict external network access.
It's worth noting that vulnerabilities in Confluence Data Center and Server have been historically targeted by attackers. Earlier in the month, Atlassian released patches for another critical flaw, CVE-2023-22515, which was exploited by a state-backed threat actor. Even more, the previous vulnerability was used to attack a crime group website on the dark web.
|Critical MS Exchange Server vulnerability actively attacked, one …
|Zimbra Warns of Exploited Critical Flaw in their …
|Vulnerabilities in ScrutisWeb, including critical, expose remote ATMs …
|SolarWinds releases critical patches for Access Rights Manager
|The embarrassment of the MOVEit Transfer critical vulnerabilities …