Warning: Zero-day privilege escalation vulnerability in Confluence Data Center and Server
CVE-2023-22515
Sources
Atlassian support - CVE-2023-22515 - Privilege Escalation Vulnerability in Confluence Data Center and Server | Atlassian Support | Atlassian Documentation
Atlassian Jira - [CONFSERVER-92475] Privilege Escalation in Confluence Data Center and Server - CVE-2023-22515 - Create and track feature requests for Atlassian products
Risques
CVE-2023-22515 is a critical zero-day vulnerability affecting publicly exposed instances of Confluence Data Center and Server from version 8 on.
A remote unauthenticated attacker could exploit this privilege escalation vulnerability to create unauthorized Confluence administrator accounts and access Confluence servers. Exploitation does not require user interaction and is easy to execute.
The confidentiality, integrity and availability of information are impacted to the highest degree.
Additionally, Atlassian has observed active exploitation of this vulnerability.
Description
On the 4th of October Atlassian published a security advisory detailing a zero-day vulnerability in Confluence Data Center and Server. CVE-2023-22515 was assigned to this vulnerability.
Atlassian was notified by its customers that their publicly accessible Confluence Data center and Server instances were exploited with a previously unknown vulnerability.
The severity of this vulnerability is critical due to multiple factors:
- An attacker can exploit this vulnerability remotely without having to be unauthenticated.
- Additionally, the exploit does not require any user interaction and its complexity to execute is rated as low.
Affected products
Cloud instances and instances below version 8.0 are NOT vulnerable.
Actions recommandées
The Centre for Cyber Security Belgium strongly recommends Windows system administrators to take the following actions:
Upgrade
- Upgrade to 8.3.3 or later
- Upgrade to 8.4.3 or later
- Upgrade to 8.5.2 (Long Term Support release) or later
Mitigate/workaround
One of the mitigations below will prove effective.
- Restrict external network access to the vulnerable instance
- Bring the vulnerable instance offline
- 1. Block access to the /setup/* endpoints on Confluence instances. This is possible at the network layer or by making the following changes to Confluence configuration files.
On each node, modify /<confluence-install-dir>/confluence/WEB-INF/web.xml and add the following block of code (just before the </web-app> tag at the end of the file):
<security-constraint>
<web-resource-collection>
<url-pattern>/setup/*</url-pattern>
<http-method-omission>*</http-method-omission>
</web-resource-collection>
<auth-constraint />
</security-constraint>
2. Restart Confluence.
Monitor/Detect
It is important to notice that compromised instances will still be affected after upgrading to a fixed version. This is because the attacker can create administrator accounts in the vulnerable instance.
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
When applying patches to systems that have been vulnerable to an authentication bypass, a proactive threat assessment should be performed to verify the device was not accessed from an unknown IP or location.
Indicators of compromise shared by Atlassian
- Unexpected members of the confluence-administrators group
- Unexpected newly created user accounts
- Requests to /setup/*.action in network access logs
- Presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
Références
The Hacker News - https://thehackernews.com/2023/10/atlassian-confluence-hit-by-newly.html