Atlassian Issues Warning on Confluence Vulnerability Exploitation
Atlassian has issued a warning regarding a Confluence vulnerability that could expose your system to data destruction attacks. This vulnerability, identified as CVE-2023-22518, is an authentication bypass issue with a severity rating of 9.1/10. Later, it was increased to 10, the highest critical rating, due to the change in the scope of the attack. It affects all versions of Confluence Data Center and Confluence Server software.
The company has recently discovered a publicly available exploit that significantly increases the risk for instances exposed to the internet. Although there have been no reports of active exploitation, Atlassian strongly advises immediate action to safeguard your Confluence instances.
If you’ve already applied the patch provided by Atlassian in versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1, you’re in the clear. However, if you haven’t, it’s crucial to take swift measures.
Also, it’s important to note that Atlassian Cloud sites accessed through an atlassian.net domain remain unaffected.
Mitigating Confluence Vulnerability
Atlassian’s Chief Information Security Officer, Bala Sathiamurthy, emphasizes the potential for significant data loss if an unauthenticated attacker exploits the vulnerability. While the primary risk is data destruction, it’s reassuring that the flaw does not enable data theft.
To mitigate the risk, Atlassian recommends upgrading your Confluence software immediately. If immediate upgrading is not feasible, apply mitigation measures such as backing up unpatched instances and blocking internet access to unpatched servers until the updates are installed.
For those unable to patch their Confluence instances immediately, Atlassian suggests removing known attack vectors by blocking access to specific endpoints. This can be achieved by modifying the /<confluence-install-dir>/confluence/WEB-INF/web.xml file, as outlined in the advisory. Then, it is required to restart the confluence.
It’s essential to understand that these mitigation actions are temporary and not a substitute for patching. Atlassian emphasizes the urgency of applying the patch as soon as possible.
Conclusion
This warning comes on the heels of a similar advisory last month, where CISA, FBI, and MS-ISAC urged the rapid patching of Atlassian Confluence servers due to an actively exploited privilege escalation vulnerability (CVE-2023-22515). Given the history of Confluence servers being targeted in widespread attacks leading to ransomware, malware, and crypto mining, securing your Confluence instance is paramount. Stay vigilant, apply patches, and take the necessary precautions to protect your data and systems.
The sources for this article include a story from BleepingComputer.