On 4 October 2023, Atlassian issued a security advisory revealing potential active exploitation of a previously unknown vulnerability (CVE-2023-22515, CVSS: 10) affecting Confluence Data Center and Server instances that are on-premises. This vulnerability can enable an unauthenticated, anonymous remote threat actor to escalate privileges by creating unauthorised Confluence administrator accounts and accessing Confluence instances across multiple versions of Confluence Data Center and Server.
Product | Affected Version |
Confluence Data Center |
|
Confluence Server |
Note: Versions prior to 8.0.0 and Atlassian Cloud sites (sites accessed via an atlassian.net domain) are not affected by CVE-2023-22515.
Atlassian first became aware of this issue when multiple customers reported the malicious activity conducted by external threat actors. At this time, Arctic Wolf has not identified a public Proof of Concept (PoC). However, it is highly likely that threat actors will develop exploits for this vulnerability in the future, given the ease of external access to these Confluence instances and the potential level of access they can achieve. Additionally, several previous Confluence vulnerabilities have been exploited by threat actors and added to CISA’s Known Exploited Vulnerability catalog.
Recommendation for CVE-2023-22515
Upgrade Confluence Data Center and Server to Fixed Versions
Arctic Wolf strongly recommends upgrading the affected Confluence products to their fixed versions (or any later versions).
Product | Fixed Version |
Confluence Data Center |
|
Confluence Server |
Note: If an instance has already been compromised, upgrading does not remove the compromise.
Please follow your organisation’s patching and testing guidelines to avoid operational impact.
Workarounds
For users who are unable to upgrade Confluence, Atlassian recommends restricting external network access to the affected Confluence Data Center and Server instance.
Additionally, Atlassian provides changes to Confluence configuration files that can mitigate attack vectors for CVE-2023-25115 by blocking access to endpoints on Confluence instances.
Further details on how to make the Confluence configuration files changes can be found in the Mitigation section of their security advisory.
References