Atlassian, the Australian software company, has urgently addressed a top-priority zero-day vulnerability found in its Confluence Data Center and Server software. This flaw had been exploited in attacks. The company stated, "Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances." The company clarified that Atlassian Cloud sites are not impacted by this vulnerability and sites accessed via an atlassian.net domain, hosted by Atlassian, are not vulnerable to this issue.
The vulnerability, identified as CVE-2023-22515, is a critical privilege escalation flaw affecting Confluence Data Center and Server 8.0.0 and later. It can be exploited remotely in low-complexity attacks that do not require user interaction. Atlassian has advised customers using the vulnerable versions of Confluence Data Center and Server to upgrade their instances to one of the fixed versions (i.e., 8.3.3 or later, 8.4.3 or later, 8.5.2 or later) as soon as possible.
In addition to upgrading and implementing mitigation measures, Atlassian also encourages customers to disconnect impacted instances or isolate them from Internet access if immediate patching isn't feasible. Administrators can limit known attack vectors connected with this vulnerability by restricting access to the /setup/* endpoints on Confluence instances. "Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously," Atlassian added.
Following the patch release, there is an increased risk that threat actors might analyze the security patches to identify the patched vulnerability, potentially accelerating the development of a usable exploit. The company also advises checking all Confluence instances for indicators of compromise. Securing Confluence servers promptly is vital, given their past attractiveness to malicious actors, with previous incidents involving AvosLocker and Cerber2021 ransomware, Linux botnet malware, and crypto miners emphasizing the urgency.
Last year, CISA ordered federal agencies to patch another critical Confluence vulnerability (CVE-2022-26138) that was exploited in the wild, based on previous alerts from cybersecurity firm Rapid7 and threat intelligence company GreyNoise.