Atlassian's Confluence Data Center and Confluence Server are currently facing zero-day vulnerability attacks due to CVE-2023-22515. While Atlassian quickly released security updates for the impacted versions, Confluence administrators should ensure that the affected versions are updated to a fixed version as Atlassian has been made aware of customers experiencing issues due to this vulnerability. Fixed versions include 8.3.3, 8.4.3, and 8.5.2.
What is CVE-2023-22515?
CVE-2023-22515 reflects two types of vulnerabilities in on-premises instances of Confluence Data Center and Server: privilege escalation and broken access control. Atlassian has released separate security advisories for each aspect of the vulnerability, though their recommended mitigation strategies remain the same in both the privilege escalation advisory and the broken access control advisory.
A privilege escalation vulnerability means that a user has more privileges or access to resources than they are authorized to have, whereas access control would typically set limitations around those privileges. Broken access control means that there is a flaw or vulnerability in the restriction and authentication setup for company data. With this vulnerability in Confluence Data Center and Confluence Server, hackers can create unauthorized Confluence administrator accounts and access Confluence instances.
While this vulnerability has been entered into the National Vulnerability Database as CVE-2023-2215, it is still awaiting analysis to determine its criticality among the Common Vulnerability Scoring System (CVSS) standards. Though this vulnerability is not ranked at the time of this publication, it will likely receive a very high CVSS score due to zero-day exploitation by unknown threat actors. Atlassian has classified this vulnerability as critical, which is the highest in their internal scale.
During the analysis, there was insufficient information to identify which Common Weakness Enumeration (CWE) weaknesses are involved in this vulnerability. Due to the type of vulnerabilities that Atlassian has identified, the CWEs for CWE-284: Improper Access Control or CWE-269: Improper Privilege Management may provide additional information about access control and privilege escalation.
CVE-2023-22515 follows an earlier Remote Code Execution (RCE) vulnerability, known as CVE-2023-22505, in the same product. The RCE vulnerability enables an authenticated attacker to achieve remote code execution, whereas this new privilege escalation vulnerability allows an attacker to create unauthorized administrator accounts. If you are running version 8.0.0 of Confluence Data Center and Server, your version remains vulnerable to RCE attacks as well as this new privilege escalation vulnerability.
To ensure that your on-prem instance remains protected against this vulnerability's attack vectors and critical privilege escalation, ensure that you upgrade to a fixed version.
Who is Impacted by CVE-2023-22515?
These vulnerabilities have been exploited by attackers to gain unauthorized access to Confluence instances for the following versions of Data Center and Server:
- 8.0.0
- 8.0.1
- 8.0.2
- 8.0.3
- 8.0.4
- 8.1.0
- 8.1.1
- 8.1.3
- 8.1.4
- 8.2.0
- 8.2.1
- 8.2.2
- 8.2.3
- 8.3.0
- 8.3.1
- 8.3.2
- 8.4.0
- 8.4.1
- 8.4.2
- 8.5.0
- 8.5.1
If you use an affected version, you can also follow Atlassian's JIRA ticket CONFSERVER-92475 and FAQ for CVE-2023-22515 for updates on the issue.
Atlassian has stated that versions before 8.0.0 and instances hosted on Atlassian Cloud (such as Atlassian Confluence sites hosted on an [.rt-script]atlassian.net[.rt-script] domain) are not currently affected. Cloudflare has also stated that they provide protection against this risk for all Cloudflare customers. Though Atlassian Cloud sites are not impacted, instances on the public internet could be at risk.
How UpGuard Can Help
UpGuard maintains a vulnerability library that includes thousands of known cybersecurity vulnerabilities. CVE-2023-22515 has been added to our vulnerability library as an informational vulnerability, which means that UpGuard can detect you are using the affected products: Confluence Data Center and Confluence Server. Search for CVE-2023-22515 in your BreachSight Vulnerabilities module and in the Vendor Risk Portfolio Risk Profile to identify what assets may be impacted.
Cross-check your version with the impacted versions to ensure that your system is protected against possible exploitation. UpGuard will continue monitoring the situation for more information on which products and versions are affected.
If you or a vendor use Confluence Data Center or Confluence Server on the public internet, you should determine whether it has been updated to a secure version. You can send a remediation request within UpGuard, which will enable the technology owner to assert the current version of the product.
How to Secure Your Confluence Instance Against CVE-2023-22515
In the security advisories, Atlassian released guidance for patching and investigating your Confluence Data Center and Server instances. Atlassian urges users running impacted versions to take the following actions immediately.
Upgrade to a Fixed Version
The following Confluence Data Center and Confluence Server versions:
- 8.3.3 or later
- 8.4.3 or later
- 8.5.2 (Long Term Support release) or later
Restrict Access to Unfixed Versions
Atlassian recommends restricting external network access if you are unable to upgrade your version to one of the fixed versions. Follow the guidance in the Mitigation section of their security advisory and block access to the [.rt-script]/setup/*[.rt-script] endpoints on your Confluence instances.
Evaluate Potential Compromise
In addition to upgrading the version, Atlassian urges users to investigate the following indicators of compromise:
- Unexpected members of the [.rt-script]confluence-administrators[.rt-script] group
- Unexpected newly created user accounts
- Requests to [.rt-script]/setup/*.action[.rt-script] in network access logs
- Presence of [.rt-script]/setup/setupadministrator.action[.rt-script] in an exception message in [.rt-script]atlassian-confluence-security.log[.rt-script] in the Confluence home directory
If you identify potential compromise, follow your internal security policy for incident response. Immediate shutdown and network disconnection may provide time to quarantine and disinfect the impacted system.
