Critical Atlassian Confluence zero-day flaw under attack

Atlassian on Wednesday disclosed and patched a zero-day vulnerability that affects Confluence Data Center and Server, two self-managed versions of Atlassian's popular workspace suite.

CVE-2023-22515 is a critical privilege escalation vulnerability that the collaboration software vendor said, via an advisory, was under attack.

"Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances," the company said in the security advisory.

Atlassian said Confluence Data Center and Server versions prior to 8.0.0 are not affected. However, the company urged customers with affected versions to upgrade to fixed versions, including 8.3.3 or later, 8.4.3 or later, and 8.5.2 -- the "Long Term Support release" -- or later. Affected versions include 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.5.0 and 8.5.1. Atlassian Cloud sites are not affected.

While no CVSS score had been assigned to CVE-2023-22515 at press time, Atlassian rated it critical "according to the scale published in our Atlassian severity levels." The company also warned that Confluence instances exposed to the public internet "are particularly at risk, as this vulnerability is exploitable anonymously."

Update 10/6: Rapid7 on Oct. 5 shared a statement from Caitlin Condon, Rapid7's head of vulnerability research, with TechTarget Editorial that said CVE-2023-22515 is "fully unauthenticated and trivially exploitable."

"Based on our analysis of the vulnerability's root cause, we think it likely that there are other avenues of attack in addition to the creation of a new admin user," Condon said. "Notably, our team leveraged the /server-info.action endpoint, which Atlassian did not mention in their IOCs [indicators of compromise]."

An Atlassian spokesperson also told TechTarget Editorial on Oct. 6 that the collaboration software vendor classified the vulnerability as a CVSS 10 -- the highest severity score possible for a flaw.

"The mitigations listed in our advisory are an interim measure for customers that cannot immediately upgrade their instance or take their instance off the internet until they can upgrade," the spokesperson said. "Our priority is the security of our customers' instances during this critical vulnerability. This is an ongoing investigation, and we encourage customers to share evidence of compromise to support these efforts."

Update 10/11: Microsoft on Oct. 10 said it observed a nation-state threat actor, tracked as Storm-0062, exploiting CVE-2023-22515 in the wild since Sept. 14. The threat actor, also known as DarkShadow or Oro0lxy, reportedly has ties to the Chinese government.

Atlassian in turn updated its security advisory. "We have evidence to suggest that a known nation-state actor is actively exploiting CVE-2023-22515 and continue to work closely with our partners and customers to investigate," the update read.

In situations where a customer is unable to upgrade, Atlassian recommended that customers restrict external network access to affected Confluence instances or mitigate attack vectors "by blocking access to the /setup/* endpoints on Confluence instances." The vendor also included indicators of compromise.

Though the official advisory initially lacked significant technical detail, Rapid7 published a blog post on Oct. 4 providing additional insights. Condon noted that it was atypical for a privilege escalation flaw to be designated as critical.

"It's unusual, though not unprecedented, for a privilege escalation vulnerability to carry a critical severity rating," Condon wrote. "Atlassian's advisory implies that the vulnerability is remotely exploitable, which is typically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself. It's possible that the vulnerability could allow a regular user account to elevate to admin -- notably, Confluence allows for new user sign-ups with no approval, but this feature is disabled by default."

TechTarget Editorial contacted Atlassian to ask whether CVE-2023-22515 could be executed remotely and for additional detail, but the vendor declined to comment. However, a spokesperson shared the following statement.

"Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances," the spokesperson said.

Critical Confluence flaws have attracted threat actors in the past. Last June, a remote code execution (RCE) bug in Confluence Data Center and Server, CVE-2022-26134, faced significant abuse at the hands of ransomware actors in the wild. In September 2021, another RCE flaw, CVE-2021-26084, came under exploitation soon after its public disclosure.

Updated following initial publication.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.