CVE-2023-22515: Zero-Day Privilege Escalation in Confluence Server and Data Center

On October 4, 2023, Atlassian published a security advisory on CVE-2023-22515, a critical vulnerability affecting on-premises instances of Confluence Server and Confluence Data Center. CVE-2023-22515 was originally announced as a privilege escalation vulnerability, but was later changed to a broken access control flaw. Atlassian does not further specify the root cause of the vulnerability or where exactly the flaw resides in Confluence implementations, though the indicators of compromise include mention of the /setup/* endpoints.

The advisory indicates that “Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.”

When we initially published this blog, we remarked that it was unusual, though not unprecedented, for a privilege escalation vulnerability to carry a critical severity rating. Atlassian’s advisory implies that the vulnerability is remotely exploitable, which is typically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself. It’s possible that the vulnerability could allow a regular user account to elevate to admin — Confluence allows for new user sign-ups with no approval, but this feature is disabled by default.

Update: Rapid7’s research team has identified and triggered the vulnerability, which is fully unauthenticated and trivially exploitable. For whatever reason, we did not observe the same exception message that Atlassian mentioned in their FAQ. Based on our analysis, it’s likely that there are other avenues of attack in addition to the creation of a new admin user. Notably, our team leveraged the /server-info.action endpoint, which Atlassian did not mention in their IOCs.

Since CVE-2023-22515 has been exploited in user environments, Atlassian recommends that on-premises Confluence Server and Data Center customers update to a fixed version immediately, or else implement mitigations. The advisory notes that “Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously.” Indicators of compromise are included in the advisory and are reproduced in the Mitigation guidancesection below.

Affected Products

The following versions of Confluence Server and Data Center are affected:

• 8.0.0
• 8.0.1
• 8.0.2
• 8.0.3
• 8.0.4
• 8.1.0
• 8.1.1
• 8.1.3
• 8.1.4
• 8.2.0
• 8.2.1
• 8.2.2
• 8.2.3
• 8.3.0
• 8.3.1
• 8.3.2
• 8.4.0
• 8.4.1
• 8.4.2
• 8.5.0
• 8.5.1

Versions prior to 8.0.0 are not affected by this vulnerability. Atlassian Cloud sites are not affected by this vulnerability. Confluence sites accessed via an atlassian.net domain are hosted by Atlassian and are not vulnerable to this issue.

Fixed versions:

• 8.3.3 or later
• 8.4.3 or later
• 8.5.2 (Long Term Support release) or later

For more information, refer to the Atlassian advisory and release notes.

Mitigation guidance

On-prem Confluence Server and Confluence Data Center customers should upgrade to a fixed version immediately, restricting external network access to vulnerable systems until they are able to do so. The Atlassian advisory says that known attack vectors can be mitigated by blocking access to the /setup/* endpoints on Confluence instances. Directions on doing this are in the advisory.

Atlassian recommends checking all affected Confluence instances for the following indicators of compromise:

• Unexpected members of the confluence-administrator group
• Unexpected newly created user accounts
• Requests to /setup/*.action in network access logs
• Presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory

As mentioned earlier, the Rapid7 team was able to identify and trigger the vulnerability. In doing so, we leveraged the /server-info.action endpoint, which Atlassian did not mention in their IOCs.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2023-22515 with a remote version-based vulnerability check expected to be available in today’s (October 4) content release.

Updates

October 5, 2023: Updated to note that the Rapid7 team has identified and triggered the vulnerability, which is trivially exploitable. Our team leveraged the /server-info.action endpoint, which has been added to the IOCs above.

October 6, 2023: Updated to note that Atlassian has changed their description of the vulnerability from "privilege escalation" to "broken access control."

Download Rapid7’s 2023 Mid-Year Threat Report ▶︎