Lucene search

K
malwarebytesMalwarebytes blogMALWAREBYTES:D798A208C9ABA1078616DD81B6E75F25
HistoryOct 12, 2023 - 4:00 a.m.

Update now! Atlassian Confluence vulnerability is being actively exploited

2023-10-1204:00:00
Malwarebytes blog
www.malwarebytes.com
45
atlassian
confluence
vulnerability
exploitation
patch
nation-state actor
security
update
software
threat
cve-2023-22515
zero-day
patch gap

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.974 High

EPSS

Percentile

100.0%

Microsoft Threat Intelligence has revealed that it has been tracking the active exploitation of a vulnerability in Atlassian Confluence software since September 14, 2023. At the time the attacks were first observed the vulnerability was a zero-day, meaning that no update was available, so defenders had “zero days” to patch the flaw.

The vulnerability has since been issued an ID, CVE-2023-22515, and rated with the highest possible severity, a CVSS score of ten. Atlassian’s October 4 advisory warns that “Publicly accessible Confluence Data Center and Server versions … are at critical risk and require immediate attention.”

If you are running Confluence Data Center or Confluence Server inside your organisation and it’s exposed to the public internet you should take steps to prevent exploitation, upgrade your software and look for evidence of compromise (take a look at the Atlassian advisory for detailed information about threat hunting).

Versions of Atlassian Confluence before 8.0.0 are not vulnerable. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue. The fixed versions of Confluence are 8.3.3 or later, 8.4.3 or later, and 8.5.2 or later.

CVE-2023-22515 is a broken access control vulnerability that allows an attacker with network access to the server to create unauthorized Confluence administrator accounts and access Confluence instances. If your Confluence software is on the public internet than the attacker has network access over the internet.

On October 10, 2023, Atlassian updated its advisory to say that it has “evidence to suggest that a known nation-state actor is actively exploiting CVE-2023-22515”.

On the same day, Microsoft Threat Intelligence took to X (formerly Twitter), to say that a nation-state actor, codenamed Storm-0062, which it believes to be a nation-state actor working on behalf of China, had been exploiting CVE-2023-22515 since mid-September.

> Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy.
>
> – Microsoft Threat Intelligence (@MsftSecIntel) October 10, 2023

Although the vulnerability started as a zero-day in the hands of nation state hackers, it will likely take on a second life in the hands of less sophisticated criminals.

We are now in the “patch gap,” the period of time between a patch being available and it being applied. This creates a window of opportunity for mass exploitation, which could last months or even years. The arrival of a patch allows organisations to fix their systems, it also informs a wider group of criminals about the existence of the vulnerability. Criminals and researchers can then reverse engineer the patch to identify the problem, and then create their own code to exploit it, or wait for others to do it for them.

Proof-of-concept exploits for CVE-2023-22515 have already appeared on GitHub so there is not time to lose. How long the patch gap lasts is entirely down to how quickly organisations update their Confluence software. History suggests organisations may struggle to find the speed required. For example, one of 2022’s most routinely exploited vulnerabilities was CVE-2021-26084, a remote code execution flaw in Confluence that was discovered in the middle of the previous year.


We don't just report on vulnerabilities–we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.974 High

EPSS

Percentile

100.0%