vulnerability A good reason to update Confluence It’s time to update Confluence Data Center and Confluence Server: they contain a serious vulnerability that allows unauthorized creation of administrator accounts. Alanna Titterington October 23, 2023 Recently, CISA, the FBI, and MS-ISAC issued a joint advisory urging all organizations that use Confluence Data Center and Confluence Server to update the software immediately due to a major vulnerability. Here’s what the problem is and why this advisory is on point. CVE-2023-22515 in Confluence Data Center and Confluence Server The vulnerability in question, designated CVE-2023-22515, has received the maximum CVSS 3.0 threat score of 10.0, as well as critical status. The vulnerability allows an attacker, even if unauthenticated, to restart the server configuration process. By exploiting CVE-2023-22515, they could create accounts with administrator rights on a vulnerable Confluence server. CVE-2023-22515: high severity level and high exploitability. Source Only organizations using on-premises Atlassian Confluence Data Center and Confluence Server are at risk. Confluence Cloud customers are not affected. Nor does the vulnerability impact Confluence Data Center and Confluence Server versions earlier than 8.0.0. Below is the full list of vulnerable versions according to Atlassian: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4 8.1.0, 8.1.1, 8.1.3, 8.1.4 8.2.0, 8.2.1, 8.2.2, 8.2.3 8.3.0, 8.3.1, 8.3.2 8.4.0, 8.4.1, 8.4.2 8.5.0, 8.5.1 Exploitation in the wild and PoC on GitHub The main problem is that the vulnerability is extremely easy to exploit. This is made worse by the fact that a successful attack on a vulnerable server doesn’t require access to an account on it, which significantly expands the scope for attacker activity. The key feature of the attack is that vulnerable versions of Confluence Data Center and Confluence Server allow attackers to change the value of the bootstrapStatusProvider.applicationConfig.setupComplete attribute to false without authentication on the server. By doing so, they reinitialize the server setup stage and are free to create their own administrator accounts. Key feature of Confluence Data Center and Confluence Server vulnerability exploitation. Source Please note that this isn’t just theory — real attacks are already being carried out. A week after information about CVE-2023-22515 was made public, the Microsoft Threat Intelligence team observed an APT group exploiting this vulnerability. Microsoft Threat Intelligence alert about CVE-2023-22515 exploitation in the wild. Source As mentioned above, this vulnerability in Confluence Data Center and Confluence Server is extremely easy to exploit. This means that not only highly skilled APT hackers can exploit it, but even bored schoolkids too. A Proof of Concept exploit for CVE-2023-22515 has already appeared on GitHub, complete with a Python script for easy-as-pie exploitation — on a mass-scale: all an attacker need do is input a list of target server addresses into the script. How to secure your infrastructure against CVE-2023-22515 If possible, you should update your Confluence Data Center or Confluence Server to a version with the vulnerability already patched (8.3.3, 8.4.3, 8.5.2), or to a later version within the same branch. If unable to update, it’s recommended to remove vulnerable Confluence servers from public access; that is, disable access to them from external networks until the update is installed. If this too cannot be done, an interim measure is to mitigate the threat by blocking access to configuration pages. More details can be found in Atlassian’s own advisory. It notes, however, that this option doesn’t eliminate the need to update Confluence Data Center or Confluence Server: it only temporarily thwarts a known attack vector. Additionally, organizations that use both Confluence Data Center and Confluence Server are advised to check whether this vulnerability has already been used in attacks against them. Some indications of CVE-2023-22515 exploitation are: Suspicious new members of the confluence-administrators group Unexpected newly created user accounts Requests to /setup/*.action in network access logs Presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory. Keep in mind that gaining control over Confluence through CVE-2023-22515 exploitation is unlikely to be the attackers’ primary goal. Instead, it will likely serve as a foothold to launch further attacks on the company’s information systems. To monitor suspicious activity in corporate infrastructure, use an EDR (Endpoint Detection and Response) solution. If your in-house information security team lacks the resources, you can outsource the job to an external service, which will continuously search for threats targeting your organization and respond to them in a timely manner.
Read next Received an email with a QR code? Watch out! Examples of how QR codes in emails are used for phishing.
Tips How to set up security and privacy in Strava Want to keep your runs, rides, and hikes private on Strava? This guide will walk you through the essential privacy settings in this popular fitness app.
Tips Run for your data: Privacy settings in jogging apps Running apps know a lot about their users, so it’s worth setting them up to ensure your data doesn’t fall into the wrong hands. Here’s how.
Tips When you get a login code for an account you don’t have What to do if you receive a text with a two-factor authentication code from a service you’ve never registered for.
Tips School and cyberthreats Why cybersecurity in education is critical, and how to protect schools from attacks.