{"id":49404,"date":"2023-10-23T10:40:47","date_gmt":"2023-10-23T14:40:47","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=49404"},"modified":"2023-10-23T13:19:33","modified_gmt":"2023-10-23T17:19:33","slug":"confluence-data-center-server-vulnerability","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/confluence-data-center-server-vulnerability\/49404\/","title":{"rendered":"A good reason to update Confluence"},"content":{"rendered":"<p>Recently, CISA, the FBI, and <a href=\"https:\/\/en.wikipedia.org\/wiki\/Center_for_Internet_Security\" target=\"_blank\" rel=\"nofollow noopener\">MS-ISAC<\/a> issued a joint <a href=\"https:\/\/www.theregister.com\/2023\/10\/17\/confluence_zero_day_advisory\/\" target=\"_blank\" rel=\"nofollow noopener\">advisory<\/a> urging all organizations that use Confluence Data Center and Confluence Server to update the software immediately due to a major vulnerability. Here\u2019s what the problem is and why this advisory is on point.<\/p>\n<h2>CVE-2023-22515 in Confluence Data Center and Confluence Server<\/h2>\n<p>The vulnerability in question, designated <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-22515\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2023-22515<\/a>, has received the maximum CVSS 3.0 threat score of 10.0, as well as critical status. The vulnerability allows an attacker, even if unauthenticated, to restart the server configuration process. By exploiting CVE-2023-22515, they could create accounts with administrator rights on a vulnerable Confluence server.<\/p>\n<div id=\"attachment_49405\" style=\"width: 3010px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" aria-describedby=\"caption-attachment-49405\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23093727\/confluence-data-center-server-vulnerability-1-scaled.jpg\" alt=\"CVE-2023-22515 severity level\" width=\"3000\" height=\"2068\" class=\"size-full wp-image-49405\"><p id=\"caption-attachment-49405\" class=\"wp-caption-text\">CVE-2023-22515: high severity level and high exploitability. <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-22515\" target=\"_blank\" rel=\"nofollow noopener\">Source<\/a><\/p><\/div>\n<p>Only organizations using on-premises Atlassian Confluence Data Center and Confluence Server are at risk. Confluence Cloud customers are not affected. Nor does the vulnerability impact Confluence Data Center and Confluence Server versions earlier than 8.0.0. Below is the full list of vulnerable versions according to Atlassian:<\/p>\n<ul>\n<li>8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4<\/li>\n<li>8.1.0, 8.1.1, 8.1.3, 8.1.4<\/li>\n<li>8.2.0, 8.2.1, 8.2.2, 8.2.3<\/li>\n<li>8.3.0, 8.3.1, 8.3.2<\/li>\n<li>8.4.0, 8.4.1, 8.4.2<\/li>\n<li>8.5.0, 8.5.1<\/li>\n<\/ul>\n<h2>Exploitation in the wild and PoC on GitHub<\/h2>\n<p>The main problem is that the vulnerability is extremely easy to exploit. This is made worse by the fact that a successful attack on a vulnerable server doesn\u2019t require access to an account on it, which significantly expands the scope for attacker activity.<\/p>\n<p>The key feature of the attack is that vulnerable versions of Confluence Data Center and Confluence Server allow attackers to change the value of the <code>bootstrapStatusProvider.applicationConfig.setupComplete<\/code> attribute to <code>false<\/code> without authentication on the server. By doing so, they reinitialize the server setup stage and are free to create their own administrator accounts.<\/p>\n<div id=\"attachment_49406\" style=\"width: 1870px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" aria-describedby=\"caption-attachment-49406\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23094142\/confluence-data-center-server-vulnerability-2.png\" alt=\"Key feature of CVE-2023-22515 exploitation \" width=\"1860\" height=\"508\" class=\"size-full wp-image-49406\"><p id=\"caption-attachment-49406\" class=\"wp-caption-text\">Key feature of Confluence Data Center and Confluence Server vulnerability exploitation. <a href=\"https:\/\/github.com\/vulhub\/vulhub\/tree\/master\/confluence\/CVE-2023-22515\" target=\"_blank\" rel=\"nofollow noopener\">Source<\/a><\/p><\/div>\n<p>Please note that this isn\u2019t just theory \u2014 real attacks are already being carried out. A week after information about CVE-2023-22515 was made public, the Microsoft Threat Intelligence team <a href=\"https:\/\/twitter.com\/MsftSecIntel\/status\/1711871732644970856\" target=\"_blank\" rel=\"nofollow noopener\">observed<\/a> an APT group exploiting this vulnerability.<\/p>\n<div id=\"attachment_49407\" style=\"width: 1196px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" aria-describedby=\"caption-attachment-49407\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23094237\/confluence-data-center-server-vulnerability-3.png\" alt=\"Microsoft Threat Intelligence alert about CVE-2023-22515 exploitation by Storm-0062 (aka DarkShadow, Oro0lxy) \" width=\"1186\" height=\"528\" class=\"size-full wp-image-49407\"><p id=\"caption-attachment-49407\" class=\"wp-caption-text\">Microsoft Threat Intelligence alert about CVE-2023-22515 exploitation in the wild. <a href=\"https:\/\/twitter.com\/MsftSecIntel\/status\/1711871732644970856\" target=\"_blank\" rel=\"nofollow noopener\">Source<\/a><\/p><\/div>\n<p>As mentioned above, this vulnerability in Confluence Data Center and Confluence Server is extremely easy to exploit. This means that not only highly skilled APT hackers can exploit it, but even <a href=\"https:\/\/www.kaspersky.com\/blog\/social-engineering-cases\/48697\/\" target=\"_blank\" rel=\"noopener nofollow\">bored schoolkids<\/a> too. A <a href=\"https:\/\/github.com\/vulhub\/vulhub\/tree\/master\/confluence\/CVE-2023-22515\" target=\"_blank\" rel=\"nofollow noopener\">Proof of Concept exploit for CVE-2023-22515<\/a> has already appeared on GitHub, complete with a <a href=\"https:\/\/github.com\/Chocapikk\/CVE-2023-22515\" target=\"_blank\" rel=\"nofollow noopener\">Python script<\/a> for easy-as-pie exploitation \u2014 on a mass-scale: all an attacker need do is input a list of target server addresses into the script.<\/p>\n<h2>How to secure your infrastructure against CVE-2023-22515<\/h2>\n<p>If possible, you should update your Confluence Data Center or Confluence Server to a version with the vulnerability already patched (8.3.3, 8.4.3, 8.5.2), or to a later version within the same branch.<\/p>\n<p>If unable to update, it\u2019s recommended to remove vulnerable Confluence servers from public access; that is, disable access to them from external networks until the update is installed.<\/p>\n<p>If this too cannot be done, an interim measure is to mitigate the threat by blocking access to configuration pages. More details can be found in <a href=\"https:\/\/confluence.atlassian.com\/security\/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html\" target=\"_blank\" rel=\"nofollow noopener\">Atlassian\u2019s own advisory<\/a>. It notes, however, that this option doesn\u2019t eliminate the need to update Confluence Data Center or Confluence Server: it only temporarily thwarts a known attack vector.<\/p>\n<p>Additionally, organizations that use both Confluence Data Center and Confluence Server are advised to check whether this vulnerability has already been used in attacks against them. Some indications of CVE-2023-22515 exploitation are:<\/p>\n<ul>\n<li>Suspicious new members of the <code>confluence-administrators<\/code> group<\/li>\n<li>Unexpected newly created user accounts<\/li>\n<li>Requests to <code>\/setup\/*.action<\/code> in network access logs<\/li>\n<li>Presence of <code>\/setup\/setupadministrator.action<\/code> in an exception message in <code>atlassian-confluence-security.log<\/code> in the Confluence home directory.<\/li>\n<\/ul>\n<p>Keep in mind that gaining control over Confluence through CVE-2023-22515 exploitation is unlikely to be the attackers\u2019 primary goal. Instead, it will likely serve as a foothold to launch further attacks on the company\u2019s information systems.<\/p>\n<p>To monitor suspicious activity in corporate infrastructure, use an <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/endpoint-detection-response-edr?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener nofollow\">EDR (Endpoint Detection and Response) solution<\/a>. If your in-house information security team lacks the resources, you can outsource the job to an <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/managed-detection-and-response?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____\" target=\"_blank\" rel=\"noopener nofollow\">external service<\/a>, which will continuously search for threats targeting your organization and respond to them in a timely manner.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"mdr\">\n","protected":false},"excerpt":{"rendered":"<p>It\u2019s time to update Confluence Data Center and Confluence Server: they contain a serious vulnerability that allows unauthorized creation of administrator accounts.<\/p>\n","protected":false},"author":2726,"featured_media":49408,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051,3052,2683],"tags":[4220,4219,97,422,121,268,4380],"class_list":{"0":"post-49404","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"category-threats","11":"tag-atlassian","12":"tag-confluence","13":"tag-security-2","14":"tag-threats","15":"tag-updates","16":"tag-vulnerabilities","17":"tag-vulnerability"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/confluence-data-center-server-vulnerability\/49404\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/confluence-data-center-server-vulnerability\/26524\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/confluence-data-center-server-vulnerability\/21957\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/confluence-data-center-server-vulnerability\/29224\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/confluence-data-center-server-vulnerability\/26802\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/confluence-data-center-server-vulnerability\/26767\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/confluence-data-center-server-vulnerability\/29263\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/confluence-data-center-server-vulnerability\/36447\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/confluence-data-center-server-vulnerability\/21106\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/confluence-data-center-server-vulnerability\/21917\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/confluence-data-center-server-vulnerability\/30603\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/confluence-data-center-server-vulnerability\/27103\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/confluence-data-center-server-vulnerability\/32811\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/confluence-data-center-server-vulnerability\/32461\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/vulnerability\/","name":"vulnerability"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/49404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=49404"}],"version-history":[{"count":5,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/49404\/revisions"}],"predecessor-version":[{"id":49413,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/49404\/revisions\/49413"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/49408"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=49404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=49404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=49404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}