Critical Atlassian Confluence zero-day exploited by attackers (CVE-2023-22515)

Atlassian has fixed a critical zero-day vulnerability (CVE-2023-22515) in Confluence Data Center and Server that is being exploited in the wild.

“Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances,” the company said.

About CVE-2023-22515

Atlassian describes CVE-2023-22515 as a critical privilege escalation vulnerability, and has confirmed that it affects Confluence Data Center and Server versions 8.0.0 and later.

“Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue,” the company stated.

Caitlin Condon, Senior Manager, Security Research at Rapid7, noted that it’s unusual (though not unprecedented) for a privilege escalation vulnerability to be deemed critical.

“Atlassian’s advisory implies that the vulnerability is remotely exploitable, which is typically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself. It’s possible that the vulnerability could allow a regular user account to elevate to admin — notably, Confluence allows for new user sign-ups with no approval, but this feature is disabled by default,” she noted.

Fixing and mitigating

Admins are recommended to upgrade the affected installations to one of the fixed versions: 8.3.3 or later, 8.4.3 or later, 8.5.2 or later.

If this is not possible, they should implement mitigations such as cutting off access to the instances from external networks and blocking access to the /setup/* endpoints on Confluence instances.

Upgrading to a fixed version solves the issue of the vulnerability, but does not remove the possible compromise, so admins should also check for indicators of compromise, which are:

• Unexpected members of the confluence-administrator group
• Unexpected newly created user accounts
• Requests to /setup/*.action in network access logs
• Presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory

Last month, Qualys published a list of top 20 exploited vulnerabilities, both old and new. Among them is CVE-2021-26084 in Atlassian Confluence Server, which has been patched two years ago but is still being exploited by attackers.

UPDATE (October 6, 2023, 04:40 a.m. ET):

“Rapid7’s research team has identified and triggered CVE-2023-22515 in Confluence Server and Data Center,” Condon added more recently.

“The vulnerability is fully unauthenticated and trivially exploitable. Based on our analysis of the vulnerability’s root cause, we think it likely that there are other avenues of attack in addition to the creation of a new admin user. Notably, our team leveraged the /server-info.action endpoint, which Atlassian did not mention in their IOCs.”

In the meantime, Atlassian has re-classified the vulnerability; it is now described as an issue stemming from broken access control.