Atlassian has released fixes to contain an actively exploited critical zero-day flaw impacting publicly accessible Confluence Data Center and Server instances.
The vulnerability, tracked as CVE-2023-22515, is remotely exploitable and allows external attackers to create unauthorized Confluence administrator accounts and access Confluence servers.
It does not impact Confluence versions prior to 8.0.0. Confluence sites accessed via an atlassian.net domain are also not vulnerable to this issue.
The enterprise software services provider said it was made aware of the issue by "a handful of customers." It has been addressed in the following versions of Confluence Data Center and Server -
- 8.3.3 or later
- 8.4.3 or later, and
- 8.5.2 (Long Term Support release) or later
The company, however, did not disclose any further specifics about the nature and scale of the exploitation, or the root cause of the vulnerability.
Customers who are unable to apply the updates are advised to restrict external network access to the affected instances.
"Additionally, you can mitigate known attack vectors for this vulnerability by blocking access to the /setup/* endpoints on Confluence instances," Atlassian said. "This is possible at the network layer or by making the following changes to Confluence configuration files."
The company has also provided the following indicators of compromise (IoCs) to determine if an on-premise instance has been potentially breached -
- unexpected members of the confluence-administrator group
- unexpected newly created user accounts
- requests to /setup/*.action in network access logs
- presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
"If it is determined that your Confluence Server/DC instance has been compromised, our advice is to immediately shut down and disconnect the server from the network/Internet," Atlassian said.
"Also, you may want to immediately shut down any other systems which potentially share a user base or have common username/password combinations with the compromised system."
"It's unusual, though not unprecedented, for a privilege escalation vulnerability to carry a critical severity rating," Rapid7's Caitlin Condon said, adding the flaw is "typically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself."
With flaws in Atlassian Confluence instances widely exploited by threat actors in the past, it's recommended that customers update to a fixed version immediately, or implement appropriate mitigations.