Critical Confluence Vulnerability – CVE-2023-22518 
CVE 2023-22518
  • Table of contents

The author

user_image
Coral Tayar
Share on LinkedIn

Security Researcher at Cyberint

Table of contents

Related Articles

BREACHFORUMS SEIZED
8base ransomware group
Research

Critical Confluence Vulnerability – CVE-2023-22518 

12月 19, 2023

Originally Published: November 2nd 2023

On October 31st, Atlassian disclosed a significant security vulnerability tracked as CVE-2023-22518, affecting all versions of Confluence Data Center and Confluence Server software. This vulnerability, rated with a critical severity score of 9.1 in the Common Vulnerability Scoring System (CVSS), has the potential to result in substantial data loss if exploited by threat actors.

Its critical nature arises from its capacity to inflict severe consequences on an organization’s data integrity. Additionally, the widespread adoption of Confluence in numerous organizations magnifies the risk.

Cyberint Argos platform CVE intel module
Figure 1: Cyberint Argos platform CVE intel module  

Atlassian’s Confluence Data Center and Confluence Server are popular platforms for knowledge sharing, document creation, and collaborative work, utilized by millions of users across various industries, including technology, finance, healthcare, government, and education. 

Indications of forthcoming Proof of Concepts (POCs) have been detected by Cyberint. A group using the name “C3RB3R” claimed in a ransom note had exploited the Atlassian bug. Atlassian responded with “We received a customer report of an active exploit. Customers must take immediate action to protect their instances. If you already applied the patch, no further action is required”.

This disclosure follows a recent warning from CISA, FBI, and MS-ISAC, urging network administrators to promptly apply patches to address an actively exploited privilege escalation vulnerability tracked as CVE-2023-22515 in Atlassian Confluence servers.

This vulnerability had been observed to be exploited by a threat group known as ‘Storm-0062’ (also referred to as DarkShadow or Oro0lxy) to carry out a critical privilege escalation zero-day attack on Atlassian Confluence Data Center and Server, starting on September 14, 2023. 

The publishing of these issues, which were found through the company’s bug bounty program and internal pen-testing marks a change in Atlassian’s vulnerability disclosure policy. Until now the company only disclosed first part critical-severity vulnerabilities, but this has been expanded to high severity issues as well. “While this change results in an increase of visibility and disclosures, it does not mean there are more  vulnerabilities,” the company said. “Rather that we are taking a more proactive approach to vulnerability transparency and are committed to providing our customers with the information they need to make informed decisions about updating our products”.

Impact 

Threat actors who exploit this vulnerability can create unauthorized Confluence administrator accounts and gain access to Confluence instances. Although this action carries severe implications and can have devastating consequences for organizations, it’s crucial to highlight that those exploiting this vulnerability cannot exfiltrate any instance data. Their impact is limited to potentially destroying data on the affected servers. 

Who Is Vulnerable? 

 This Improper Authorization vulnerability impacts all versions preceding the designated fix versions of Confluence Data Center and Server. Specifically: 

For Atlassian Confluence Data Center: 

All versions before the following fixed versions: 

  • 7.19.16
  • 8.3.4
  • 8.4.4
  • 8.5.3
  • 8.6.1 

For Atlassian Confluence Server: 

All versions before the following fixed versions: 

  • 7.19.16
  • 8.3.4
  • 8.4.4
  • 8.5.3
  • 8.6.1 

It’s worth noting that Atlassian Cloud sites accessed via an atlassian.net domain remain unaffected by this vulnerability.   

Additional Vulnerabilities Occurring in December 2023

There are several more vulnerabilities:

  • CVE-2023-22522, allows authenticated users to add code to a Confluence template
    • “CVE-2023-22522 exploitation requires an authenticated attacker, meaning a user account, but [also] some customers, have anonymous access enabled, which will allow the exploit assuming it’s internet-facing,” an Atlassian spokesperson told SC Media.
  • CVE-2023-22523, occurs between Assets Discovery and Assets Discovery agents — software that allows offline devices to be detected by the Assets Discovery app.
  • CVE-2023-22524 affects macOS users only as the Windows app does not appear to be affected.

The new Atlassian vulnerabilities can be explored further in Adi Bleih’s blog here.

Recommendations  

Cyberint recommends the following actions to mitigate the associated risks with this vulnerability: 

  • Prioritize patching by applying the designated fixed versions (see latest patching updates from cso online here) mentioned earlier in this report to all affected installations. Notably, it is advisable first to address publicly accessible Confluence instances.
  • If immediate patching is not an option, consider implementing mitigation measures, including creating backups for unpatched instances and restricting Internet access until the systems are patched. Instances accessible via the public internet, including those with user authentication, should be carefully restricted from external network access until the patching process is completed. 

To learn more about how our threat intelligence research helps protect businesses against ransomware and other risks, request a demo.