Atlassian Confluence Data Center and Confluence Server Privilege Escalation Vulnerability (CVE-2023-22515)

Posted by Author Diksha Ojha on Posted on

Atlassian Confluence Data Center and Server are vulnerable to a privilege escalation vulnerability. CVE-2023-22515 is a critical severity vulnerability with a CVSS score of 10. A remote attacker may exploit the vulnerability in a low-complexity attack without user interaction. Successful exploitation of the vulnerability may allow attackers to create unauthorized Confluence administrator accounts and access Confluence instances.

Atlassian has mentioned in their advisory that their customers informed them about the exploitation of the vulnerability in publicly accessible Confluence Data Center and Server instances.

Atlassian has mentioned in the advisory that Atlassian Cloud sites are unaffected by the vulnerability. The confluence site, accessible via an atlassian.net domain hosted by Atlassian, will not be vulnerable to this issue.

CISA has added CVE-2023-22515 to its Known Exploited Vulnerabilities Catalog and recommended users to patch it before October 26, 2023.

Indicators of Compromise

The advisory recommends checking all affected Confluence instances for the following indicators of compromise:

  • Unexpected members of the confluence-administrator group
  • Unexpected newly created user accounts
  • Requests to /setup/*.action in network access logs
  • Presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory

Affected Versions

The vulnerability affects the following versions of the Confluence Data Center and Confluence Server:

  • 8.0.0
  • 8.0.1
  • 8.0.2
  • 8.0.3
  • 8.0.4
  • 8.1.0
  • 8.1.1
  • 8.1.3
  • 8.1.4
  • 8.2.0
  • 8.2.1
  • 8.2.2
  • 8.2.3
  • 8.3.0
  • 8.3.1
  • 8.3.2
  • 8.4.0
  • 8.4.1
  • 8.4.2
  • 8.5.0
  • 8.5.1

Mitigation

Users must upgrade to the listed fixed versions:

  • 8.3.3 or later
  • 8.4.3 or later
  • 8.5.2 (Long-Term Support release) or later

Please refer to the Atlassian Security Advisory (CONFSERVER-92475) for more information.

Workaround

Atlassian recommends restricting external network access to the affected instance in case users cannot upgrade to the fixed version.

Additionally, users can mitigate known attack vectors for this vulnerability by restricting access to the /setup/* endpoints on Confluence instances. These adjustments can be made to Confluence configuration files or at the network layer.

  1. Modify /<confluence-install-dir>/confluence/WEB-INF/web.xml and add the following block of code (just before the </web-app> tag at the end of the file) on each node:

<security-constraint>

      <web-resource-collection>

        <url-pattern>/setup/*</url-pattern>

<http-method-omission>*</http-method-omission>

</web-resource-collection>

      <auth-constraint />

</security-constraint>

  1. Restart Confluence.

Qualys Detection

Qualys customers can scan their devices with QIDs 730931 and 378914 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html

Leave a Reply

Your email address will not be published. Required fields are marked *