Critical Confluence Vulnerability – CVE-2023-22518 

On October 31st, Atlassian disclosed a significant security vulnerability tracked as CVE-2023-22518, affecting all versions of Confluence Data Center and Confluence Server software. This vulnerability, rated with a critical severity score of 9.1 in the Common Vulnerability Scoring System (CVSS), has the potential to result in substantial data loss if exploited by threat actors.

Its critical nature arises from its capacity to inflict severe consequences on an organization’s data integrity. Additionally, the widespread adoption of Confluence in numerous organizations magnifies the risk.

Atlassian’s Confluence Data Center and Confluence Server are popular platforms for knowledge sharing, document creation, and collaborative work, utilized by millions of users across various industries, including technology, finance, healthcare, government, and education. 

At the time of writing, there is no evidence of real-world attacks or active exploitation identified. However, indications of forthcoming Proof of Concepts (POCs) have been detected by Cyberint. 

This disclosure follows a recent warning from CISA, FBI, and MS-ISAC, urging network administrators to promptly apply patches to address an actively exploited privilege escalation vulnerability tracked as CVE-2023-22515 in Atlassian Confluence servers.

This vulnerability had been observed to be exploited by a threat group known as ‘Storm-0062’ (also referred to as DarkShadow or Oro0lxy) to carry out a critical privilege escalation zero-day attack on Atlassian Confluence Data Center and Server, starting on September 14, 2023. 

Impact 

Threat actors who exploit this vulnerability can create unauthorized Confluence administrator accounts and gain access to Confluence instances. Although this action carries severe implications and can have devastating consequences for organizations, it’s crucial to highlight that those exploiting this vulnerability cannot exfiltrate any instance data. Their impact is limited to potentially destroying data on the affected servers. 

Who Is Vulnerable? 

 This Improper Authorization vulnerability impacts all versions preceding the designated fix versions of Confluence Data Center and Server. Specifically: 

For Atlassian Confluence Data Center: 

All versions before the following fixed versions: 

• 7.19.16
• 8.3.4
• 8.4.4
• 8.5.3
• 8.6.1 

For Atlassian Confluence Server: 

All versions before the following fixed versions: 

• 7.19.16
• 8.3.4
• 8.4.4
• 8.5.3
• 8.6.1 

It’s worth noting that Atlassian Cloud sites accessed via an atlassian.net domain remain unaffected by this vulnerability.   

Recommendations  

Cyberint recommends the following actions to mitigate the associated risks with this vulnerability: 

•   Prioritize patching by applying the designated fixed versions mentioned earlier in this report to all affected installations. Notably, it is advisable first to address publicly accessible Confluence instances.
• If immediate patching is not an option, consider implementing mitigation measures, including creating backups for unpatched instances and restricting Internet access until the systems are patched. Instances accessible via the public internet, including those with user authentication, should be carefully restricted from external network access until the patching process is completed. 

To learn more about how our threat intelligence research helps protect businesses against ransomware and other risks, request a demo.