A vital privilege-escalation vulnerability in Atlassian Confluence Server and Confluence Knowledge Middle has been disclosed, with proof of exploitation within the wild as a zero-day bug.
The flaw (CVE-2023-22515) impacts on-premises situations of the platforms, in variations 8.0.0 and after.
“Atlassian has been made conscious of a difficulty reported by a handful of consumers the place exterior attackers might have exploited a beforehand unknown vulnerability in publicly accessible Confluence Knowledge Middle and Server situations to create unauthorized Confluence administrator accounts and entry Confluence situations,” in line with Atlassian’s advisory on CVE-2023-22515, launched late on Oct. 4.
Atlassian did not present a CVSSv3 rating, however in line with its inner severity degree scores, the rating can be within the vary of 9 to 10.
The stakes are excessive. Many organizations use Confluence for challenge administration and collaboration amongst groups scattered throughout on-premises and distant areas. Usually Confluence environments can home delicate information on each inner initiatives in addition to its clients and companions.
An Uncommon Crucial Ranking: Remotely Exploitable Privilege Escalation?
The vital designation is a reasonably uncommon one for privilege escalation points, Rapid7 researcher Caitlin Condon identified in an alert on the Confluence bug.
Nevertheless, the Atlassian advisory goes on to notice that “situations on the general public Web are significantly in danger, as this vulnerability is exploitable anonymously,” indicating that it is remotely exploitable, she defined — a uncommon state of affairs. She famous that the vital score is “usually extra according to an authentication bypass or distant code-execution chain than a privilege-escalation concern by itself.”
Nevertheless, Condon added, “It is potential that the vulnerability may enable a daily consumer account to raise to admin — notably, Confluence permits for brand new consumer sign-ups with no approval, however this function is disabled by default.”
Patch Now: Confluence a High Goal for Cyberattackers
Atlassian has issued a patch; mounted variations are: 8.3.3 or later; 8.4.3 or later; and eight.5.2 (Lengthy Time period Help launch) or later.
So far as different safety choices, Atlassian does not specify the place the bug resides or every other technical particulars, although it does word that identified assault vectors will be mitigated by blocking entry to the /setup/* endpoints on Confluence situations, which is an effective indicator of the place the issue resides.
Admins ought to limit exterior community entry to susceptible programs till they are often upgraded, and Atlassian recommends checking all affected Confluence situations for the symptoms of compromise (IoCs) listed within the advisory.
Patching must be top-of-mind; Atlassian is a identified goal for cyberattackers, as evidenced by the present zero-day exploitation, however there’s additionally additional precedent. In June 2022, Atlassian disclosed one other vital zero-day vulnerability affecting Confluence Server and Knowledge Middle (CVE-2022-26134), this one a extra typical distant code execution vulnerability. Proof-of-concept scripts and mass exploitation shortly adopted the disclosure, peaking at 100,000 exploitation makes an attempt every day.
