Atlassian has released fixes to contain an actively exploited critical zero-day flaw impacting publicly accessible Confluence Data Center and Server instances.
The vulnerability, tracked as CVE-2023-22515, is remotely exploitable and allows external attackers to create unauthorized Confluence administrator accounts and access Confluence servers.
It does not impact Confluence versions prior to 8.0.0. Confluence sites accessed via an atlassian.net domain are also not vulnerable to this issue.
The enterprise software services provider said it was made aware of the issue by βa handful of customers.β It has been addressed in the following versions of Confluence Data Center and Server -
The company, however, did not disclose any further specifics about the nature and scale of the exploitation, or the root cause of the vulnerability.
Customers who are unable to apply the updates are advised to restrict external network access to the affected instances.
βAdditionally, you can mitigate known attack vectors for this vulnerability by blocking access to the /setup/* endpoints on Confluence instances,β Atlassian said. βThis is possible at the network layer or by making the following changes to Confluence configuration files.β
The company has also provided the following indicators of compromise (IoCs) to determine if an on-premise instance has been potentially breached -
βIf it is determined that your Confluence Server/DC instance has been compromised, our advice is to immediately shut down and disconnect the server from the network/Internet,β Atlassian said.
βAlso, you may want to immediately shut down any other systems which potentially share a user base or have common username/password combinations with the compromised system.β
βItβs unusual, though not unprecedented, for a privilege escalation vulnerability to carry a critical severity rating,β Rapid7βs Caitlin Condon said, adding the flaw is βtypically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself.β
With flaws in Atlassian Confluence instances widely exploited by threat actors in the past, itβs recommended that customers update to a fixed version immediately, or implement appropriate mitigations.
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.