On October 4th, 2023, Atlassian disclosed a critical severity vulnerability in Confluence Data Center and Server instances, tracked as CVE-2023-22515. The vulnerability, which received a CNA base score of 10.0, could allow remote attackers to create unauthorized administrator accounts and access Confluence instances on vulnerable Confluence servers.
Who Is Impacted?
The following Confluence versions are affected:
- 8.0.0 – 8.0.4
- 8.1.0, 8.1.3, 8.1.4
- 8.2.0 – 8.2.3
- 8.3.0 – 8.3.2
- 8.4.0 – 8.4.2
- 8.5.0 – 8.5.1
Confluence customers using versions prior to 8.0.0 or an Atlassian-hosted Confluence instance (sites with an atlassian.net domain) are not affected by this vulnerability and therefore do not need to take any action.
How Bad is This?
According to Atlassian’s advisory, unauthorized Confluence administrator account creation and Confluence instance access may have already occurred on some customer systems before the CVE was announced. The potential exploitation of this vulnerability prior to its disclosure makes it a zero-day vulnerability.
While details remain limited, an attacker who successfully exploits this vulnerability could create Confluence administrator accounts, and then do the following:
- Access Confluence instances
- Modify or delete Confluence data
- Execute arbitrary code on the server
What Should I Do?
For administrators hosting publicly-accessible Confluence Data Center and Server instances, a critical severity vulnerability poses a severe threat that warrants urgent response. Given this severity, all impacted organizations should immediately upgrade their affected servers to a fixed version. Those who are unable to upgrade should apply the recommended interim mitigations. Affected servers should be audited for signs of compromise.
Update to a fixed version
Impacted customers are advised to upgrade to a fixed version of Confluence as soon as possible. The fixed versions include the following:
- 8.5.2 (or later)
You can download the latest version of Confluence Data Center and Confluence Server from Atlassian here.
Mitigate if you are unable to update
If you are unable to promptly update the server version, you can instead limit external network access to the affected server. Additional mitigations identified by Atlassian include blocking access to
/setup/* endpoints on Confluence instances. This mitigation can be applied at the network layer or by modifying the server configuration by doing the following:
1. On each node, modify the file
to add the following block of code. Ensure that this code block is added before the closing </web-app> tag at the end of the file.
Audit for signs of compromise
An administrator should thoroughly review affected Confluence servers to identify any signs of compromise. Review the following potential indicators of compromise (IOCs) to determine whether a security incident may have occurred:
- Unauthorized members of the confluence-administrator group
- Unauthorized user accounts
- Requests to
/setup/*.actionin the network access logs located at
- An exception message in
atlassian-confluence-security.logwith the string
A thorough analysis of these IOCs can help confirm whether exploitation took place and determine the scope of the incident. This allows organizations to fully investigate, remediate, and improve defenses.
How Blumira Can Help
It’s nearly impossible for admins to track every vulnerability, but Blumira’s security experts perform threat hunting on your behalf and develop detections in real time to protect your environment. Blumira will continue to monitor this vulnerability for detection and reporting opportunities.
If you’re not already using Blumira, our Free SIEM edition is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
For more information about this vulnerability, see the following resources: