Hackers exploit Atlassian Confluence zero-day flaw | spcilvly


The widely adopted Atlassian Confluence has been found to have a zero-day vulnerability, which could allow threat actors to create an administrator account on Confluence servers and conduct malicious activities.

This particular issue has been reported by many Atlassian customers and is known to be actively exploited by attackers. The vulnerability is currently identified as CVE-2023-22515 and has a severity of 10.0 (Critical), according to Atlassian.

CVE-2023-22515: Privilege Escalation Vulnerability

Atlassian has not yet revealed the details of this vulnerability. However, this vulnerability reportedly affects publicly accessible Confluence servers and data centers where threat actors were able to create unauthorized administrator accounts and access Confluence instances.

Document

Free Trial

Implementing “Trustifi” AI-powered email security solutions can protect your business from today’s most dangerous email threats such as tracking, blocking, modification, phishing, account takeover, business email compromise, malware and ransomware.

“Instances on the public Internet are particularly at risk, as this vulnerability can be exploited anonymously.” read Atlassian’s safety notice.

Affected products and fixed versions

Product Affected versions Fixed in versions
Confluence Data Center and Confluence Server 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.2.0, 8.2.1, 8.2.2, 8.2. 3, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.5.0, 8.5.1 8.3.3 or later 8.4.3 or later 8.5.2 (long-term support release) or later

Source: Atlassian

Threat detection and mitigation

As part of mitigating this issue, Atlassian has recommended its users block access to /setup/* endpoints on Confluence instances, which can be done using the following steps:

  1. modify //confluence/WEB-INF/web.xml and add the following code block (just before the tag at the end of the file):

/setup/*
*

  1. Restart confluence

As part of threat detection, Atlassian has recommended its users check all affected Confluence instances for the following indicators of compromise:

  • Unexpected Confluence Admins Group Members
  • newly created unexpected user accounts
  • requests to /setup/*.action in network access logs
  • presence of /setup/setupadministrator.action in an exception message in Atlassian-confluence-security.log in the Confluence home directory

For additional information, you can follow Atlassian’s safety advisory, which can be found here.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the Free Trial to guarantee 100% security.


Leave a Reply

Your email address will not be published. Required fields are marked *