A remotely exploitable privilege escalation flaw has been discovered in Atlassian Confluence and is under active exploitation. Pause reading, and go patch your Confluence servers right now. I’ll wait, because the patch shouldn’t be your last step and you should read the rest of this article.
Now that you’re done patching, let’s discuss what’s happening and what to do next. This flaw, labeled CVE-2023-22515, impacts on-premises servers running version 8.0.0 or higher. This vulnerability is exploitable anonymously according to researchers, and is particularly troublesome for any publicly available (available across the internet) instances of the software.
Given the nature of what organizations store on Confluence instances (often sensitive data like project information, sometimes passwords and IT diagrams, procedures, etc.) this is particularly concerning. It’s unclear at this time if attackers are utilizing this exploit to pivot to additional systems in the environment, but that should be considered when addressing this vulnerability.
As we have found out all-to-often in recent years (remember Citrix ADC/Netscaler? How about ProxyLogon and ProxyShell?) attackers will often utilize these initial points of ingress to inflict much greater harm than even the data-theft possibilities on the Confluence servers. Often, attackers will establish persistence on these vulnerable systems, particularly with highly publicized vulnerabilities, and come back later to instigate further, and often more destructive, attacks.
These persistence mechanisms, if implemented by attackers, will still be present even after patching. With that, patching is often not enough. The impacted servers should be reviewed and investigated for known indicators of compromise (IOCs) as well as any other activity that appears abnormal. I’ll say it again, these systems should be investigated EVEN IF the patch has been applied.
Additionally, any systems that are adjacent to the impacted system, share credentials with that system, or have potential connections to the impacted system should be fully investigated as well.
For systems that can’t be patched and/or mitigated immediately it has been advised that those systems should be taken offline until the patch can be applied. To take this a step further, FRSecure would recommend that these systems be isolated until they have been patched and thoroughly investigated for evidence of exploitation, persistence mechanisms, and potential lateral movement.
For additional information from Atlassian, including IOCs and mitigation tactics please see the advisory from Atlassian: https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html
