A good reason to update Confluence

It’s time to update Confluence Data Center and Confluence Server: they contain a serious vulnerability that allows unauthorized creation of administrator accounts.

Vulnerability in Confluence Data Center and Confluence Server

Recently, CISA, the FBI, and MS-ISAC issued a joint advisory urging all organizations that use Confluence Data Center and Confluence Server to update the software immediately due to a major vulnerability. Here’s what the problem is and why this advisory is on point.

CVE-2023-22515 in Confluence Data Center and Confluence Server

The vulnerability in question, designated CVE-2023-22515, has received the maximum CVSS 3.0 threat score of 10.0, as well as critical status. The vulnerability allows an attacker, even if unauthenticated, to restart the server configuration process. By exploiting CVE-2023-22515, they could create accounts with administrator rights on a vulnerable Confluence server.

CVE-2023-22515 severity level

CVE-2023-22515: high severity level and high exploitability. Source

Only organizations using on-premises Atlassian Confluence Data Center and Confluence Server are at risk. Confluence Cloud customers are not affected. Nor does the vulnerability impact Confluence Data Center and Confluence Server versions earlier than 8.0.0. Below is the full list of vulnerable versions according to Atlassian:

  • 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4
  • 8.1.0, 8.1.1, 8.1.3, 8.1.4
  • 8.2.0, 8.2.1, 8.2.2, 8.2.3
  • 8.3.0, 8.3.1, 8.3.2
  • 8.4.0, 8.4.1, 8.4.2
  • 8.5.0, 8.5.1

Exploitation in the wild and PoC on GitHub

The main problem is that the vulnerability is extremely easy to exploit. This is made worse by the fact that a successful attack on a vulnerable server doesn’t require access to an account on it, which significantly expands the scope for attacker activity.

The key feature of the attack is that vulnerable versions of Confluence Data Center and Confluence Server allow attackers to change the value of the bootstrapStatusProvider.applicationConfig.setupComplete attribute to false without authentication on the server. By doing so, they reinitialize the server setup stage and are free to create their own administrator accounts.

Key feature of CVE-2023-22515 exploitation

Key feature of Confluence Data Center and Confluence Server vulnerability exploitation. Source

Please note that this isn’t just theory — real attacks are already being carried out. A week after information about CVE-2023-22515 was made public, the Microsoft Threat Intelligence team observed an APT group exploiting this vulnerability.

Microsoft Threat Intelligence alert about CVE-2023-22515 exploitation by Storm-0062 (aka DarkShadow, Oro0lxy)

Microsoft Threat Intelligence alert about CVE-2023-22515 exploitation in the wild. Source

As mentioned above, this vulnerability in Confluence Data Center and Confluence Server is extremely easy to exploit. This means that not only highly skilled APT hackers can exploit it, but even bored schoolkids too. A Proof of Concept exploit for CVE-2023-22515 has already appeared on GitHub, complete with a Python script for easy-as-pie exploitation — on a mass-scale: all an attacker need do is input a list of target server addresses into the script.

How to secure your infrastructure against CVE-2023-22515

If possible, you should update your Confluence Data Center or Confluence Server to a version with the vulnerability already patched (8.3.3, 8.4.3, 8.5.2), or to a later version within the same branch.

If unable to update, it’s recommended to remove vulnerable Confluence servers from public access; that is, disable access to them from external networks until the update is installed.

If this too cannot be done, an interim measure is to mitigate the threat by blocking access to configuration pages. More details can be found in Atlassian’s own advisory. It notes, however, that this option doesn’t eliminate the need to update Confluence Data Center or Confluence Server: it only temporarily thwarts a known attack vector.

Additionally, organizations that use both Confluence Data Center and Confluence Server are advised to check whether this vulnerability has already been used in attacks against them. Some indications of CVE-2023-22515 exploitation are:

  • Suspicious new members of the confluence-administrators group
  • Unexpected newly created user accounts
  • Requests to /setup/*.action in network access logs
  • Presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory.

Keep in mind that gaining control over Confluence through CVE-2023-22515 exploitation is unlikely to be the attackers’ primary goal. Instead, it will likely serve as a foothold to launch further attacks on the company’s information systems.

To monitor suspicious activity in corporate infrastructure, use an EDR (Endpoint Detection and Response) solution. If your in-house information security team lacks the resources, you can outsource the job to an external service, which will continuously search for threats targeting your organization and respond to them in a timely manner.

Tips

How to travel safely

Going on vacation? We’ve compiled a traveler’s guide to help you have an enjoyable safe time and completely get away from the routine.