Recently, CISA, the FBI, and MS-ISAC issued a joint advisory urging all organizations that use Confluence Data Center and Confluence Server to update the software immediately due to a major vulnerability. Here’s what the problem is and why this advisory is on point.
CVE-2023-22515 in Confluence Data Center and Confluence Server
The vulnerability in question, designated CVE-2023-22515, has received the maximum CVSS 3.0 threat score of 10.0, as well as critical status. The vulnerability allows an attacker, even if unauthenticated, to restart the server configuration process. By exploiting CVE-2023-22515, they could create accounts with administrator rights on a vulnerable Confluence server.
Only organizations using on-premises Atlassian Confluence Data Center and Confluence Server are at risk. Confluence Cloud customers are not affected. Nor does the vulnerability impact Confluence Data Center and Confluence Server versions earlier than 8.0.0. Below is the full list of vulnerable versions according to Atlassian:
- 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4
- 8.1.0, 8.1.1, 8.1.3, 8.1.4
- 8.2.0, 8.2.1, 8.2.2, 8.2.3
- 8.3.0, 8.3.1, 8.3.2
- 8.4.0, 8.4.1, 8.4.2
- 8.5.0, 8.5.1
Exploitation in the wild and PoC on GitHub
The main problem is that the vulnerability is extremely easy to exploit. This is made worse by the fact that a successful attack on a vulnerable server doesn’t require access to an account on it, which significantly expands the scope for attacker activity.
The key feature of the attack is that vulnerable versions of Confluence Data Center and Confluence Server allow attackers to change the value of the bootstrapStatusProvider.applicationConfig.setupComplete
attribute to false
without authentication on the server. By doing so, they reinitialize the server setup stage and are free to create their own administrator accounts.
Please note that this isn’t just theory — real attacks are already being carried out. A week after information about CVE-2023-22515 was made public, the Microsoft Threat Intelligence team observed an APT group exploiting this vulnerability.
As mentioned above, this vulnerability in Confluence Data Center and Confluence Server is extremely easy to exploit. This means that not only highly skilled APT hackers can exploit it, but even bored schoolkids too. A Proof of Concept exploit for CVE-2023-22515 has already appeared on GitHub, complete with a Python script for easy-as-pie exploitation — on a mass-scale: all an attacker need do is input a list of target server addresses into the script.
How to secure your infrastructure against CVE-2023-22515
If possible, you should update your Confluence Data Center or Confluence Server to a version with the vulnerability already patched (8.3.3, 8.4.3, 8.5.2), or to a later version within the same branch.
If unable to update, it’s recommended to remove vulnerable Confluence servers from public access; that is, disable access to them from external networks until the update is installed.
If this too cannot be done, an interim measure is to mitigate the threat by blocking access to configuration pages. More details can be found in Atlassian’s own advisory. It notes, however, that this option doesn’t eliminate the need to update Confluence Data Center or Confluence Server: it only temporarily thwarts a known attack vector.
Additionally, organizations that use both Confluence Data Center and Confluence Server are advised to check whether this vulnerability has already been used in attacks against them. Some indications of CVE-2023-22515 exploitation are:
- Suspicious new members of the
confluence-administrators
group - Unexpected newly created user accounts
- Requests to
/setup/*.action
in network access logs - Presence of
/setup/setupadministrator.action
in an exception message inatlassian-confluence-security.log
in the Confluence home directory.
Keep in mind that gaining control over Confluence through CVE-2023-22515 exploitation is unlikely to be the attackers’ primary goal. Instead, it will likely serve as a foothold to launch further attacks on the company’s information systems.
To monitor suspicious activity in corporate infrastructure, use an EDR (Endpoint Detection and Response) solution. If your in-house information security team lacks the resources, you can outsource the job to an external service, which will continuously search for threats targeting your organization and respond to them in a timely manner.