Lucene search

K
thnThe Hacker NewsTHN:D108F4062986E59B517B4F101BEE5013
HistoryOct 05, 2023 - 3:28 a.m.

Atlassian Confluence Hit by New Actively Exploited Zero-Day – Patch Now

2023-10-0503:28:00
The Hacker News
thehackernews.com
77
atlassian
confluence
zero-day
vulnerability
exploited
patch
cve-2023-22515
critical
remote
administrator
access
version
security
breach
iocs
network
compromise
rapid7
authentication
mitigation

EPSS

0.974

Percentile

99.9%

Atlassian Confluence

Atlassian has released fixes to contain an actively exploited critical zero-day flaw impacting publicly accessible Confluence Data Center and Server instances.

The vulnerability, tracked as CVE-2023-22515, is remotely exploitable and allows external attackers to create unauthorized Confluence administrator accounts and access Confluence servers.

It does not impact Confluence versions prior to 8.0.0. Confluence sites accessed via an atlassian.net domain are also not vulnerable to this issue.

Cybersecurity

The enterprise software services provider said it was made aware of the issue by β€œa handful of customers.” It has been addressed in the following versions of Confluence Data Center and Server -

  • 8.3.3 or later
  • 8.4.3 or later, and
  • 8.5.2 (Long Term Support release) or later

The company, however, did not disclose any further specifics about the nature and scale of the exploitation, or the root cause of the vulnerability.

Customers who are unable to apply the updates are advised to restrict external network access to the affected instances.

β€œAdditionally, you can mitigate known attack vectors for this vulnerability by blocking access to the /setup/* endpoints on Confluence instances,” Atlassian said. β€œThis is possible at the network layer or by making the following changes to Confluence configuration files.”

The company has also provided the following indicators of compromise (IoCs) to determine if an on-premise instance has been potentially breached -

  • unexpected members of the confluence-administrator group
  • unexpected newly created user accounts
  • requests to /setup/*.action in network access logs
  • presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory

β€œIf it is determined that your Confluence Server/DC instance has been compromised, our advice is to immediately shut down and disconnect the server from the network/Internet,” Atlassian said.

Cybersecurity

β€œAlso, you may want to immediately shut down any other systems which potentially share a user base or have common username/password combinations with the compromised system.”

β€œIt’s unusual, though not unprecedented, for a privilege escalation vulnerability to carry a critical severity rating,” Rapid7’s Caitlin Condon said, adding the flaw is β€œtypically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself.”

With flaws in Atlassian Confluence instances widely exploited by threat actors in the past, it’s recommended that customers update to a fixed version immediately, or implement appropriate mitigations.

Found this article interesting? Follow us on Twitter ο‚™ and LinkedIn to read more exclusive content we post.