Project Hyphae
Search

Critical Confluence Vulnerability CVE-2023-22518 Exploited In The Wild

Share This Post

A significant security breach has been identified in Atlassian’s Confluence Data Center and Server platforms, known as CVE-2023-22518, an improper authorization vulnerability that enables attackers to execute critical commands remotely. This vulnerability received a critical severity score of 9.1 out of 10, underscoring its potential for causing significant data compromise. As the situation evolved, security researchers witnessed actual exploitation of this vulnerability across various customer environments, leading to ransomware attacks. These observations confirm the vulnerability’s active use in the wild and emphasize the need for immediate patching to the latest secure versions provided by Atlassian.

“Threat actors who exploit this vulnerability can create unauthorized Confluence administrator accounts and gain access to Confluence instances. Although this action carries severe implications and can have devastating consequences for organizations, it’s crucial to highlight that those exploiting this vulnerability cannot exfiltrate any instance data.”

Notably, Atlassian Cloud services are not affected by this issue.

Next Steps: (When checking for IOC’s please also take note that a previous exploit was discovered last month that also effected Atlassian’s Confluence Data Center and Server platforms. CVE-2023-22515, and IOC’s should be investigated for this vulnerability as well. This would increase your clean backup date from October 31st, to October 4th, 2023 when the vulnerability was published.)

  • Quarantine your on-prem Confluence server.
  • Review your on-prem Confluence server for indicators of compromise (IOCs).
    • The exploit creates web-shells which will give the attackers access even after patching has occurred.
  • If IOCs are discovered: (Please reach out to csirt@frsecure.com if you have any questions or need additional assistance.)
    • Image the device.
    • Restore to a clean backup from prior to October 31st, 2023. (Keep this isolated with no internet access.)
    • Apply the patch from the vendor.
    • Return device to working order.
    • Continue monitoring for IOCs and further developments.
  • If IOCs are not discovered:
    • Apply the patch from the vendor.
    • Continue monitoring for IOCs and further developments.

Mitigations (Apply temporary mitigations if unable to patch):

  • Back up your instance. (Instructions: https://confluence.atlassian.com/doc/production-backup-strategy-38797389.html)
  • Remove your instance from the internet until you can patch, if possible. Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch.
  • If you cannot restrict external network access or patch, apply these interim measures to mitigate known attack vectors by blocking access on the following endpoints on Confluence instances:
    • /json/setup-restore.action
    • /json/setup-restore-local.action
    • /json/setup-restore-progress.action
  • This is possible at the network layer or by making the following changes to Confluence configuration files.
    On each node, modify //confluence/WEB-INF/web.xml and add the following block of code (just before the tag at the end of the file):
    • /json/setup-restore.action /json/setup-restore-local.action /json/setup-restore-progress.action *
  • Restart Confluence.
  • Note: These mitigation actions are limited and are not a replacement for patching your instance; you must patch as soon as possible.

Links:

https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html

https://www.rapid7.com/blog/post/2023/11/06/etr-rapid7-observed-exploitation-of-atlassian-confluence-cve-2023-22518/

https://projecthyphae.com/threat/atlassian-confluence-critical-0-day-vulnerability/

POC: https://github.com/davidfortytwo/CVE-2023-22518



Reach out to our incident response team for help

More To Explore

Information Security News 6-10-2024

Frontier Warns 750,000 of a Data Breach After Extortion Threats Article Link: https://www.bleepingcomputer.com/news/security/frontier-warns-750-000-of-a-data-breach-after-extorted-by-ransomhub ‘Fog’ Ransomware Rolls in to Target Education, Recreation Sectors Article Link: https://www.darkreading.com/threat-intelligence/fog-ransomware-rolls-in-to-target-education-recreation-sectors

Information Security News 6-3-2024

Snowflake Data Breach Impacts Ticketmaster, Other Organizations Article Link: https://www.securityweek.com/snowflake-hack-impacts-ticketmaster-other-organizations/ 2.8 Million Impacted by Data Breach at Prescription Services Firm Sav-Rx Article Link: https://www.securityweek.com/2-8-million-impacted-by-data-breach-at-prescription-services-firm-sav-rx/ LastPass

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.