Introduction
This letter serves as an urgent notification regarding a critical vulnerability, CVE-2023-22515, which affects Atlassian Confluence Data Center and Server. Confluence is widely used for collaboration among development, IT operations, and business teams to work on projects and share documents and knowledge.
Key Takeaways
- Critical Vulnerability: CVE-2023-22515 is a severe privilege escalation vulnerability affecting Atlassian Confluence Data Center and Server, enabling attackers to create unauthorized administrator accounts.
- Affected Versions: Confluence versions from 8.0.0 to 8.2.3 are susceptible to this vulnerability, while versions prior to 8.0.0 are not affected.
- Exploitation in the Wild: The vulnerability has been exploited in the wild, although no public Proof of Concepts (PoCs) have been released yet.
- Official Advisory: Atlassian issued an official advisory urging users to upgrade their Confluence instances to the latest versions as the primary remediation measure.
Recommendations
- Upgrade Promptly: Upgrade Confluence Data Center and Server to versions 8.3.3, 8.4.3, or 8.5.2 (Long Term Support release) or later to remediate the vulnerability.
- Restrict External Access: If an immediate upgrade is not feasible, restrict external network access to the affected Confluence instance as a temporary measure.
- Block Vulnerable Endpoints: Block access to the /setup/* endpoints on Confluence instances either at the network layer or by modifying the Confluence configuration files accordingly.
- Continuous Monitoring: Monitor the Confluence instances for any unusual activities and ensure that security configurations are reviewed and updated regularly to prevent potential exploitations.
Technical details
The vulnerability is described as a Privilege Escalation vulnerability. Successful exploitation could allow attackers to create unauthorized Confluence administrator accounts, thereby gaining unauthorized access to affected Confluence instances.
Affected products
Confluence Data Center and Confluence Server versions 8.0.0 through 8.2.3 are affected by this vulnerability.
Available vendor patches
Atlassian recommends upgrading to one of the fixed versions of Confluence Server or Data Center, specifically versions 8.3.3 or later, 8.4.3 or later, or 8.5.2 (Long Term Support release) or later, as the primary method of remediation.
Available Proof of Concepts
While there have been no publicly available Proof of Concepts (PoCs) as of now, the vulnerability has been reportedly exploited in the wild in a limited number of cases.
Mitigations
If upgrading is not immediately possible, the following mitigation steps are recommended:
Restrict external network access to the affected Confluence instance.
Block access to the /setup/* endpoints on Confluence instances, either at the network layer or by modifying the Confluence configuration files on each node as follows:
Navigate to /<confluence-install-dir>/confluence/WEB-INF/web.xml and add the following block of code (just before the </web-app> tag at the end of the file):
<security-constraint>
<web-resource-collection>
<url-pattern>/setup/*</url-pattern>
<http-method-omission>*</http-method-omission>
</web-resource-collection>
<auth-constraint />
</security-constraint>