Atlassian has launched fixes to comprise an actively exploited important zero-day flaw impacting publicly accessible Confluence Knowledge Heart and Server situations.
The vulnerability, tracked as CVE-2023-22515, is remotely exploitable and permits exterior attackers to create unauthorized Confluence administrator accounts and entry Confluence servers.
It doesn’t impression Confluence variations prior to eight.0.0. Confluence websites accessed by way of an atlassian.web area are additionally not susceptible to this concern.
The enterprise software program providers supplier mentioned it was made conscious of the problem by “a handful of consumers.” It has been addressed within the following variations of Confluence Knowledge Heart and Server –
- 8.3.3 or later
- 8.4.3 or later, and
- 8.5.2 (Lengthy Time period Assist launch) or later
The corporate, nonetheless, didn’t disclose any additional specifics in regards to the nature and scale of the exploitation, or the basis reason behind the vulnerability.
Prospects who’re unable to use the updates are suggested to limit exterior community entry to the affected situations.
“Moreover, you possibly can mitigate identified assault vectors for this vulnerability by blocking entry to the /setup/* endpoints on Confluence situations,” Atlassian mentioned. “That is potential on the community layer or by making the next adjustments to Confluence configuration recordsdata.”
The corporate has additionally offered the next indicators of compromise (IoCs) to find out if an on-premise occasion has been doubtlessly breached –
- sudden members of the confluence-administrator group
- sudden newly created person accounts
- requests to /setup/*.motion in community entry logs
- presence of /setup/setupadministrator.motion in an exception message in atlassian-confluence-security.log within the Confluence dwelling listing
“Whether it is decided that your Confluence Server/DC occasion has been compromised, our recommendation is to instantly shut down and disconnect the server from the community/Web,” Atlassian mentioned.
“Additionally, chances are you’ll need to instantly shut down every other methods which doubtlessly share a person base or have widespread username/password mixtures with the compromised system.”
“It is uncommon, although not unprecedented, for a privilege escalation vulnerability to hold a important severity ranking,” Rapid7’s Caitlin Condon mentioned, including the flaw is “usually extra per an authentication bypass or distant code execution chain than a privilege escalation concern by itself.”
With flaws in Atlassian Confluence situations broadly exploited by risk actors prior to now, it is really helpful that prospects replace to a set model instantly, or implement acceptable mitigations.
