A significant security breach has been identified in Atlassian’s Confluence Data Center and Server platforms, known as CVE-2023-22518, an improper authorization vulnerability that enables attackers to execute critical commands remotely. This vulnerability received a critical severity score of 9.1 out of 10, underscoring its potential for causing significant data compromise. As the situation evolved, security researchers witnessed actual exploitation of this vulnerability across various customer environments, leading to ransomware attacks. These observations confirm the vulnerability’s active use in the wild and emphasize the need for immediate patching to the latest secure versions provided by Atlassian.
“Threat actors who exploit this vulnerability can create unauthorized Confluence administrator accounts and gain access to Confluence instances. Although this action carries severe implications and can have devastating consequences for organizations, it’s crucial to highlight that those exploiting this vulnerability cannot exfiltrate any instance data.”
Notably, Atlassian Cloud services are not affected by this issue.
Next Steps: (When checking for IOC’s please also take note that a previous exploit was discovered last month that also effected Atlassian’s Confluence Data Center and Server platforms. CVE-2023-22515, and IOC’s should be investigated for this vulnerability as well. This would increase your clean backup date from October 31st, to October 4th, 2023 when the vulnerability was published.)
- Quarantine your on-prem Confluence server.
- Review your on-prem Confluence server for indicators of compromise (IOCs).
- The exploit creates web-shells which will give the attackers access even after patching has occurred.
- If IOCs are discovered: (Please reach out to csirt@frsecure.com if you have any questions or need additional assistance.)
- Image the device.
- Restore to a clean backup from prior to October 31st, 2023. (Keep this isolated with no internet access.)
- Apply the patch from the vendor.
- Return device to working order.
- Continue monitoring for IOCs and further developments.
- If IOCs are not discovered:
- Apply the patch from the vendor.
- Continue monitoring for IOCs and further developments.
Mitigations (Apply temporary mitigations if unable to patch):
- Back up your instance. (Instructions: https://confluence.atlassian.com/doc/production-backup-strategy-38797389.html)
- Remove your instance from the internet until you can patch, if possible. Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch.
- If you cannot restrict external network access or patch, apply these interim measures to mitigate known attack vectors by blocking access on the following endpoints on Confluence instances:
- /json/setup-restore.action
- /json/setup-restore-local.action
- /json/setup-restore-progress.action
- This is possible at the network layer or by making the following changes to Confluence configuration files.
On each node, modify //confluence/WEB-INF/web.xml and add the following block of code (just before the tag at the end of the file):- /json/setup-restore.action /json/setup-restore-local.action /json/setup-restore-progress.action *
- Restart Confluence.
- Note: These mitigation actions are limited and are not a replacement for patching your instance; you must patch as soon as possible.
Links:
https://projecthyphae.com/threat/atlassian-confluence-critical-0-day-vulnerability/
POC: https://github.com/davidfortytwo/CVE-2023-22518