Atlassian has issued an alert about a public exploit for a critical security flaw in Confluence that could lead to data wiping attacks. The vulnerability, known as CVE-2023-22518, is an improper authorization issue with a high severity rating of 9.1 out of 10. It impacts all versions of Confluence Data Center and Confluence Server software. Atlassian has detected a publicly available exploit that poses a serious risk to publicly accessible instances. The company stated, "As part of Atlassian's ongoing monitoring of this CVE, we observed publicly posted critical information about the vulnerability which increases risk of exploitation."
While there are no reports of active exploits yet, customers are urged to take immediate action to safeguard their instances. Those who have already applied the patch do not need to take any further action. Although attackers can leverage the vulnerability to erase data on affected servers, they cannot use it to steal data stored on vulnerable instances. Atlassian also clarified that Atlassian Cloud sites accessed via an atlassian.net domain are not impacted.
The company's Chief Information Security Officer, Bala Sathiamurthy, had previously issued a warning when the vulnerability was patched. He stated, "As part of our continuous security assessment processes, we have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker."
Atlassian has addressed the critical CVE-2023-22518 vulnerability in Confluence Data Center and Server versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1. Administrators are urged to update their software promptly or, if that's not feasible, to implement mitigation measures. These include backing up unpatched instances and blocking internet access to unpatched servers until they're updated.
If immediate patching is not possible, admins can also eliminate known attack vectors by blocking access on specific endpoints by altering the //confluence/WEB-INF/web.xml as explained in the advisory and restarting the affected instance. Atlassian emphasized that these mitigation steps are temporary and not a substitute for patching the instance.
Last month, CISA, FBI, and MS-ISAC urged defenders to urgently patch Atlassian Confluence servers against an actively exploited privilege escalation flaw, CVE-2023-22515. Microsoft later found that a Chinese-backed threat group, known as Storm-0062 (aka DarkShadow or Oro0lxy), had exploited the flaw as a zero-day since September 14, 2023. Securing vulnerable Confluence servers is vital, given their previous targeting in widespread attacks that delivered AvosLocker and Cerber2021 ransomware, Linux botnet malware, and crypto miners.