On October 31, 2023, Atlassian issued a security advisory about a critical vulnerability that affected all versions of Confluence Data Center and Server. The improper authorization vulnerability is tracked as CVE-2023-22518 and was assigned a CVSS severity score of 9.1 out of 10. Successful exploitation of the vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. The account can be used to perform all administrative actions available leading to a full loss of confidentiality, integrity, and availability.
On Thursday last week, Atlassian issued an update confirming that an exploit for the vulnerability had been found in the public domain, although at the time there had been no reports to indicate the exploit had been used. On November 6, 2023, Atlassian issued a further update confirming there are several active exploits and there have been reports of them being used by ransomware gangs. Atlassian has now escalated the vulnerability from CVSS 9.1 to the maximum score of 10 due to the change in the scope of the attack and has issued an urgent advisory to all customers to take immediate action to address the vulnerability before it is exploited.
Atlassian says publicly accessible Confluence Data Center and Server versions are at critical risk and require immediate attention. Users are required to immediately patch all affected installations to a fixed version.
Fixed Atlassian Confluence Data Center and Server Versions
- 7.19.16
- 8.3.4
- 8.4.4
- 8.5.3
- 8.6.1
Atlassian has suggested temporary mitigations if the patch cannot be immediately applied:
- Back up your instance
- Remove the instance from the Internet until the patch can be applied, if possible
- If it is not possible to restrict external network access or patch, the following interim measures can be used to mitigate known attack vectors by blocking access on the following endpoints on Confluence instances:
- /json/setup-restore.action
- /json/setup-restore-local.action
- /json/setup-restore-progress.action
After applying the patch/mitigations, security teams should check all affected Confluence instances for evidence of compromise since the flaw may have already been exploited. Atlassian suggests the following:
- loss of login access to the instance
- requests to /json/setup-restore* in network access logs
- installed unknown plugins
- we’ve observed reports of a malicious plugin named web.shell.Plugin
- encrypted files or corrupted data
- unexpected members of the confluence-administrators group
- unexpected newly created user accounts