Atlassian Confluence Hit by New Actively Exploited Zero-Day – Patch Now

Cyber Security Threat Summary:
vulnerability in its Confluence Data Center and Server software. Tracked as CVE-2023-22515, the flaw relates to a case of privilege escalation. Although Atlassian did not specify the root cause of this flaw, the vulnerability could allow a regular user account to elevate to admin. The software vendor was made aware of an issue after receiving reports from its customers. According to Atlassian external attackers may have exploited the vulnerability in “publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.”

Security Officer Comments:
CVE-2023-22515 impacts the following versions of Confluence Server and Data Center

  • 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.5.0, and 8.5.1
The flaw has been addressed in versions 8.3.3 or later, 8.4.3 or later, and 8.5.2 or later

Versions prior to 8.0.0 are not affected. Furthermore, Atlassian states that its confluence sites accessed via an atlassian.net domain are also not impacted.

Suggested Correction(s):
Besides applying patches, Atlassian says administrators can mitigate known attack vectors for this vulnerability by blocking access to the /setup/* endpoints on Confluence instances. This is possible at the network layer or by making the following changes to Confluence configuration files. The company also recommends checking all affected Confluence instances for the following indicators of compromise:
  • unexpected members of the confluence-administrators group
  • unexpected newly created user accounts
  • requests to /setup/*.action in network access logs
  • presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
Link(s):
https://thehackernews.com/2023/10/atlassian-confluence-hit-by-newly.html