Patch now: Security vulnerability in Atlassian Confluence
by Nico Pätzel
Atlassian closes critical security hole: Patch for Confluence Data Center and Confluence Server available!
Confluence is a web-based software solution developed by the Australian company Atlassian for web-based collaboration and optimised knowledge management. The software allows users to collaborate on details around their projects in documentation, task lists and project plans. A recently discovered critical security vulnerability allowed attackers to gain admin rights - and thus compromise entire systems. A published patch closes this vulnerability in certain versions of the Confluence Data Center. Admins should react immediately.
A warning message from Atlassian at the beginning of October with a CVSS 3.0 maximum score (10 out of 10) caused concern among users of the collaborative web tool Confluence. The vulnerability CVE-2023-2251 affects certain versions of the Confluence Data Center as well as Confluence Server. Australian company Atlassian, provider of Confluence, was alerted by customer reports to a vulnerability that allowed cybercriminals to create unauthorised administrator accounts and access Confluence instances.
According to BSI, the vulnerability affects Confluence Data Center and Server with version numbers:
• 8.0.0, • 8.0.1, • 8.0.2, • 8.0.3, • 8.0.4, • 8.1.0, • 8.1.1, • 8.1.3, • 8.1.4, • 8.2.0, • 8.2.1, • 8.2.2, • 8.2.3, • 8.3.0, • 8.3.1, • 8.3.2, • 8.4.0, • 8.4.1, • 8.4.2, • 8.5.0, • 8.5.1.
The vulnerability is already closed in versions 8.3.3, 8.4.3 and 8.5.2 (or higher). Instances not hosted at Atlassian Cloud, which are recognisable by atlassian.net in the domain, as well as versions below the patch level of 8.0.0 are not affected by the vulnerability.
Zero-day exploit is already being exploited.
Atlassian itself speaks of "a handful of customers" where attacks on publicly accessible Confluence instances may have taken place. Confluence servers have already been targeted by cyber attackers in the past - known attacks included Cerber2021 ransomware, Linux botnet malware and crypto miners. Admins of the Confluence versions affected by the vulnerability should react immediately and install the security updates provided by Atlassian: Due to the critical classification of the vulnerability, a complete compromise can be assumed after a successful attack!
Immediate patching not possible? Atlassian recommends these measures as a workaround. If admins discover that their Confluence instances have been compromised, Atlassian recommends immediately disconnecting the server from the internet/network as a first emergency measure. Any other systems that share a common user base with Confluence or username/password combinations should also be isolated from the network immediately. Shutting down the servers is also recommended, but it is essential to make a forensic backup of the data beforehand. Otherwise, the data would be lost after shutting down the servers, which in the worst case would prevent the incident from being resolved!
A possible security breach is recognisable, among other things, by: - Unexpected, new members in the Confluence admin user group - Newly created user accounts - Requests to /setup/*.action or /server-info.action in the network access logs - An exception message in the atlassian-confluence-security.log (presence of /setup/setupadministrator.action).
Attention: Installing the available security updates closes the discovered vulnerability, but the cyber attackers' accounts that may have been created previously remain!
Unless admins can restrict external network access to Confluence or immediately apply the security patch, Atlassian recommends a temporary workaround to minimise attacks. Admins should block access to the /setup/* endpoints in Confluence instances, according to Atlassian. Atlassian has published the required code and detailed instructions on how to do this here.
The workaround blocks access to setup options that are not required for normal use of Confluence. Atlassian explicitly points out that the workaround only has a limited, temporary effect and is in no way intended as a replacement for applying the patch. All affected versions of Confluence must be provided with the update as soon as possible.
Atlassian suspects active exploitation of the exploit by state actors As can be read on the Atlassian website, the company now has evidence to prove that the CVE-2023-22515 vulnerability is currently being actively exploited by a "known state actor". Although the investigations surrounding the vulnerability are still ongoing, the threat potential is once again increasing significantly - keyword Advanced Persistent Threats!
The security vulnerability that has been discovered once again shows the importance of reliable, efficient patch management for all software solutions used within a company. Because even with operating systems that are continuously kept up to date, security vulnerabilities occur time and again - as is now the case with Atlassian - that allow cyber criminals to access systems and networks. We would be happy to advise you in detail on our patch management options or work with you to develop a customised IT security solution for your company. The best thing to do is to contact our experts today!