Pierluigi Paganini October 04, 2023

Atlassian fixed a critical zero-day flaw in its Confluence Data Center and Server software, which has been exploited in the wild.

Software giant Atlassian released emergency security updates to address a critical zero-day vulnerability, tracked as CVE-2023-22515 (CVSS score 10), in its Confluence Data Center and Server software.

The flaw CVE-2023-22515 is a privilege escalation vulnerability that affects Confluence Data Center and Server 8.0.0 and later. A remote attacker can trigger the flaw in low-complexity attacks without any user interaction.

The company is aware that the vulnerability has been exploited in attacks.

“Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.” reads the advisory published by the company.

“Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously.”

According to the advisory, the vulnerability doesn’t impact Atlassian Cloud sites. If customer’s Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

“It’s unusual, though not unprecedented, for a privilege escalation vulnerability to carry a critical severity rating. Atlassian’s advisory implies that the vulnerability is remotely exploitable, which is typically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself.” reads a post published by Rapid7. “It’s possible that the vulnerability could allow a regular user account to elevate to admin — notably, Confluence allows for new user sign-ups with no approval, but this feature is disabled by default.”

If admins are unable to upgrade their Confluence instances, as an interim measure the company recommends restricting external network access to them.

Atlassian also recommends mitigating known attack vectors for this vulnerability by blocking access to the /setup/* endpoints on Confluence instances.

The software firm also recommends checking instances for the following indicators of compromise:

• unexpected members of the confluence-administrator group
• unexpected newly created user accounts
• requests to /setup/*.action in network access logs
• presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory

In September 2022, threat actors were observed targeting unpatched Atlassian Confluence servers as part of an ongoing crypto mining campaign.

Trend Micro researchers warned of a crypto mining campaign targeting Atlassian Confluence servers affected by the CVE-2022-26134 RCE vulnerability disclosed in early June 2022.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Atlassian Confluence)