A critical privilege-escalation vulnerability in Atlassian Confluence Server and Confluence Data Center has been disclosed, with evidence of exploitation in the wild as a zero-day bug.
The flaw (CVE-2023-22515) affects on-premises instances of the platforms, in versions 8.0.0 and after.
“Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances,” according to Atlassian’s advisory on CVE-2023-22515, released late on Oct. 4.
Atlassian didn’t provide a CVSSv3 score, but according to its internal severity level ratings, the score would be in the range of 9 to 10.
The stakes are high. Many organizations use Confluence for project management and collaboration among teams scattered across on-premises and remote locations. Often Confluence environments can house sensitive data on both internal projects as well as its customers and partners.
An Unusual Critical Rating: Remotely Exploitable Privilege Escalation?
The critical designation is a fairly rare one for privilege escalation issues, Rapid7 researcher Caitlin Condon pointed out in an alert on the Confluence bug.
However, the Atlassian advisory goes on to note that “instances on the public Internet are particularly at risk, as this vulnerability is exploitable anonymously,” indicating that it’s remotely exploitable, she explained — a rare situation. She noted that the critical rating is “typically more consistent with an authentication bypass or remote code-execution chain than a privilege-escalation issue by itself.”
However, Condon added, “It’s possible that the vulnerability could allow a regular user account to elevate to admin — notably, Confluence allows for new user sign-ups with no approval, but this feature is disabled by default.”
Patch Now: Confluence a Top Target for Cyberattackers
Atlassian has issued a patch; fixed versions are: 8.3.3 or later; 8.4.3 or later; and 8.5.2 (Long Term Support release) or later.
As far as other protection options, Atlassian doesn’t specify where the bug resides or any other technical details, though it does note that known attack vectors can be mitigated by blocking access to the /setup/* endpoints on Confluence instances, which is a good indicator of where the problem resides.
Admins should restrict external network access to vulnerable systems until they can be upgraded, and Atlassian recommends checking all affected Confluence instances for the indicators of compromise (IoCs) listed in the advisory.
Patching should be top-of-mind; Atlassian is a known target for cyberattackers, as evidenced by the current zero-day exploitation, but there’s also further precedent. In June 2022, Atlassian disclosed another critical zero-day vulnerability affecting Confluence Server and Data Center (CVE-2022-26134), this one a more typical remote code execution vulnerability. Proof-of-concept scripts and mass exploitation quickly followed the disclosure, peaking at 100,000 exploitation attempts daily.