Flash Notice: Critical Privilege Escalation Vulnerability in Confluence Data Center and Server

overview

A critical vulnerability, tracked as CVE-2023-22515, has been discovered in on-premise installations of Confluence Server and Confluence Data Center. This vulnerability, categorized as a critical privilege escalation flaw (CVSS score – 10), is being actively exploited. Atlassian has not disclosed the specific origin of the vulnerability within Confluence setups, but it has noted that "/setup/*" endpoints are indicators of compromise.  

If successful, an attacker could establish Confluence administrator accounts and gain access to Confluence instances. Atlassian has confirmed that this vulnerability does not affect cloud instances (Confluence sites accessed via atlassian.net domains). Given the active exploitation in user environments, Atlassian strongly advises on-premise Confluence Server and Data Center users to promptly update to a patched version.  

Also, Atlassian’s advisory states that instances accessible on the public internet are especially vulnerable, as this vulnerability can be exploited without authentication. Please see the impacted Confluence Data Center and Server versions:  

While Atlassian does offer mitigations for CVE-2023-22515, it is strongly recommended that users upgrade to the fixed versions of Confluence Data Center and Confluence Server as soon as possible. Please note that versions prior to 8.0.0 are not affected by this vulnerability.  

avertium's recommendationS

According to Atlassian, here are the fixed versions of Confluence Data Center and Confluence Server:  

• 8.3.3 or later 
• 8.4.3 or later 
• 8.5.2 (Long Term Support release) or later 

For affected versions, Atlassian strongly recommends: 

• Upgrading to the fixed versions of Confluence Server or Data Center. 
• If unable to upgrade promptly, implement mitigations (refer to the Mitigations  section in the full advisory). 
• Engaging your security team and check for indicators of compromise (refer to the Threat Detection section in the full advisory). 

INDICATORS OF COMPROMISE (IoCs)

Atlassian has listed the following IoCs that can help organizations determine if they have been impacted by CVE-2023-22515: 

• unexpected members of the confluence-administrator group 
• unexpected newly created user accounts 
• requests to /setup/*.action in network access logs 
• presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory 

How Avertium is Protecting Our CUSTOMERS

• Fusion MXDR for Microsoft combines Avertium's Fusion MXDR approach with Microsoft Security Solutions, creating the first MDR offering that integrates all aspects of security operations into an active and threat-informed XDR solution. Leveraging Microsoft's comprehensive and cost-effective technology, Fusion MXDR for Microsoft delivers a release of cyber energy, encompassing implementation, optimization, ongoing management, and tuning. 
  
  
• Avertium offers Vulnerability Management (VM) to provide a deeper understanding and control over organizational information security risks.  If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.  

• Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident like a malware attack. 
  
  
• Note: We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers. 

SUPPORTING DOCUMENTATION