What vulnerability has Atlassian reported?

Atlassian reported a critical vulnerability in on-premises versions of Confluence Server and Confluence Data Center, enabling the creation and misuse of admin accounts by malicious actors within the enterprise collaboration software.

What is the CVE identifier for this vulnerability?

The vulnerability is tracked as CVE-2023-22515.

Which versions are affected by this vulnerability?

Versions 8.0.0 through 8.5.1 of Confluence are affected, while versions before 8.0.0 remain unaffected.

Are public-facing instances at risk?

Yes, public-facing instances are at risk, allowing anyone with access to a vulnerable deployment of Confluence to attempt exploitation and potentially gain admin-level access anonymously.

How can the vulnerability be mitigated?

One possible mitigation step is to block access to the /setup/* endpoints on Confluence instances. This can be done at the network layer or by modifying Confluence configuration files and adding specific security constraints.

Advisory

Atlassian Confluence Server critical flaw exploited by hackers

published: Oct. 4, 2023

Take action: If you are using Confluence Server/Datacenter, implement mitigation reconfiguration or block the server from internet access immediately. Then start patching, because there may be other exploitable endpoints not listed in the mitigation.

Learn More

Atlassian reported the exploitation of a critical vulnerability in on-premises versions of Confluence Server and Confluence Data Center, allowing malicious actors to create and misuse admin accounts within the enterprise collaboration software.

Tracked as CVE-2023-22515, this privilege-escalation vulnerability affects versions 8.0.0 through 8.5.1, with versions before 8.0.0 remaining unaffected.

Public-facing instances are at risk, as anyone with access to a vulnerable deployment of Confluence can attempt exploitation to gain admin-level access anonymously. A few customers have already fallen victim to this zero-day vulnerability, prompting the availability of updates to strengthen installations.

Specific details about the vulnerability and the extent of customer compromise were not disclosed to mitigate broader exploiting Atlassian confirmed that Atlassian Cloud sites were not affected.

A possible mitigation step is to block access to the /setup/* endpoints on Confluence instances. This is possible at the network layer or by making changes to Confluence configuration files.

On each node, modify /<confluence-install-dir>/confluence/WEB-INF/web.xml  and add the following block of code (just before the </web-app> tag at the end of the file):

<security-constraint>
      <web-resource-collection>
        <url-pattern>/setup/*</url-pattern>
			<http-method-omission>*</http-method-omission>
		</web-resource-collection>
      <auth-constraint />
	</security-constraint>

Restart Confluence.

Atlassian Confluence Server critical flaw exploited by hackers

Read More
SAP releases September 2024 patches for 19 security …
Nvidia reports critical flaw in Container Toolkit allowing …
Container escape vulnerabilities discovered in runC container runtime
Delinea Secret Server PAM has a critical vulnerability …
Ivanti fixes flaw in Endpoint Management that exposes …