Vulnerabilities

Atlassian Confluence Hit by New Actively Exploited Zero-Day – Patch Now

By root

Posted on October 5, 2023

Atlassian has released fixes to contain an actively exploited critical zero-day flaw impacting publicly accessible Confluence Data Center and Server instances.

The vulnerability, tracked as CVE-2023-22515, is remotely exploitable and allows external attackers to create unauthorized Confluence administrator accounts and access Confluence servers.

It does not impact Confluence versions prior to 8.0.0. Confluence sites accessed via an atlassian.net domain are also not vulnerable to this issue.

The enterprise software services provider said it was made aware of the issue by “a handful of customers.” It has been addressed in the following versions of Confluence Data Center and Server –

8.3.3 or later
8.4.3 or later, and
8.5.2 (Long Term Support release) or later

The company, however, did not disclose any further specifics about the nature and scale of the exploitation, or the root cause of the vulnerability.

Customers who are unable to apply the updates are advised to restrict external network access to the affected instances.

“Additionally, you can mitigate known attack vectors for this vulnerability by blocking access to the /setup/* endpoints on Confluence instances,” Atlassian said. “This is possible at the network layer or by making the following changes to Confluence configuration files.”

The company has also provided the following indicators of compromise (IoCs) to determine if an on-premise instance has been potentially breached –

unexpected members of the confluence-administrator group
unexpected newly created user accounts
requests to /setup/*.action in network access logs
presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory

“If it is determined that your Confluence Server/DC instance has been compromised, our advice is to immediately shut down and disconnect the server from the network/Internet,” Atlassian said.

“Also, you may want to immediately shut down any other systems which potentially share a user base or have common username/password combinations with the compromised system.”

“It’s unusual, though not unprecedented, for a privilege escalation vulnerability to carry a critical severity rating,” Rapid7’s Caitlin Condon said, adding the flaw is “typically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself.”

With flaws in Atlassian Confluence instances widely exploited by threat actors in the past, it’s recommended that customers update to a fixed version immediately, or implement appropriate mitigations.

Related Items:Atlassian, Atlassian Confluence, Cloud security, server security, vulnerability

MrHacker

Latest News

U.S. Treasury Sanctions Iranian Firms and Individuals Tied to Cyber Attacks

Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike

eScan Antivirus Update Mechanism Exploited to Spread Backdoors and Miners

CoralRaider Malware Campaign Exploits CDN Cache to Spread Info-Stealers

Apache Cordova App Harness Targeted in Dependency Confusion Attack

Links

Pin It on Pinterest