FAQ for CVE-2023-22515
A critical severity authentication vulnerability was discovered in Confluence Server and Data Center (CVE-2023-22515).
This page contains frequently asked questions and answers about this vulnerability. The Atlassian Security Team will update this page as new information becomes available.
Is my Confluence instance affected?
The Confluence Data Center and Server versions listed below are affected by this vulnerability. Publicly accessible Confluence Data Center and Server versions as listed below are at critical risk and require immediate attention. Customers using these versions should upgrade your instance as soon as possible.
Versions prior to 8.0 are not affected by this vulnerability.
Confluence Data Center and Confluence Server
Atlassian recommends that you upgrade each of your affected installations to one of the listed fixed versions (or any later version) below.
|Confluence Data Center and Confluence Server|
Are Cloud instances affected?
If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Why am I being redirected to setup/finishsetup.action or seeing 403/404 errors after I’ve applied the mitigation steps?
The mitigation actions noted in the Advisory are not a replacement for upgrading your instance; you must upgrade as soon as possible. The mitigation steps will block an attacker's ability to create an administrator account in Confluence, however, it won’t prevent an attacker from continuously trying to exploit the instance which may result in a Denial of Service attack. Once the upgrade is complete, you will no longer receive the HTTP Status errors or redirects to /setup/finishsetup.action.
Does upgrading to a fixed version completely solve the issue?
No. If an instance has already been compromised, upgrading will not remove the compromise.
As well as upgrading, customers can follow "Can we determine if Confluence has already been compromised?", which is available in this FAQ, to check for indicators of compromise. If any evidence is found, you should assume that your instance has been compromised and evaluate the risk of flow-on effects.
I am running an affected version of Confluence. How can I mitigate the threat until I upgrade?
If you are unable to upgrade Confluence, as an interim measure we recommend restricting external network access to the affected instance.
Additionally, you can mitigate known attack vectors for this vulnerability by blocking access to the
/setup/* endpoints on Confluence instances. This is possible at the network layer or by making the following changes to Confluence configuration files.
1. On each node, modify
/<confluence-install-dir>/confluence/WEB-INF/web.xml and add the following block of code (just before the
</web-app> tag at the end of the file):
<security-constraint> <web-resource-collection> <url-pattern>/setup/*</url-pattern> <http-method-omission>*</http-method-omission> </web-resource-collection> <auth-constraint /> </security-constraint>
2. Restart Confluence.
The mitigation prevents any Confluence administrators from triggering Confluence setup actions, this includes setting up Confluence from scratch or migrating to and from Data Center. If these actions are required you will need to remove these lines from the web.xml file. Please re-add these lines if you are not running a fixed version of Confluence.
My instance isn't exposed to the Internet. Is an upgrade still recommended?
Yes! While ensuring instances are not exposed to the public internet greatly reduces the attack surface, we strongly recommend applying the latest version security patch.
My instance is NOT connected to the internet, what should I do? Am I safe?
If the Confluence instance cannot be accessed from the general internet, the risk of an exploit/attack originating from there is reduced.
Due to the critical nature of this vulnerability and the variety of ways in which instances can be accessed, please work with local network/security team(s) to determine if mitigation is needed. However, out of an abundance of caution, the guidance on the Confluence Security Advisory page for CVE-2023-22515 still applies.
Can we determine if Confluence has already been compromised?
Per our security advisory CVE-2023-22515, the following are indicators of a potential compromise:
- unexpected members in the
- unexpected newly created user accounts
- requests to
/setup/*.actionin network access logs
- presence of
/setup/setupadministrator.actionin an exception message in
atlassian-confluence-security.login the Confluence home directory
2027-01-01 07:50:38,312 ERROR [http-nio-8090-exec-8 url: /confluence/setup/setupadministrator.action] [atlassian.confluence.user.DefaultUserAccessor] createGroup com.atlassian.crowd.exception.embedded.InvalidGroupException: com.atlassian.crowd.exception.InvalidGroupException: Group already exists -- url: /confluence/setup/setupadministrator.action | userName: anonymous | action: setupadministrator | traceId: 43994e68d74b2b4b com.atlassian.user.impl.EntityValidationException: com.atlassian.crowd.exception.embedded.InvalidGroupException: com.atlassian.crowd.exception.InvalidGroupException: Group already exists at com.atlassian.crowd.embedded.atlassianuser.EmbeddedCrowdGroupManager.createGroup(EmbeddedCrowdGroupManager.java:146) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) ... at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:220) at com.sun.proxy.$Proxy165.addGroup(Unknown Source) at com.atlassian.crowd.embedded.atlassianuser.EmbeddedCrowdGroupManager.createGroup(EmbeddedCrowdGroupManager.java:144) ... 490 more Caused by: com.atlassian.crowd.exception.InvalidGroupException: Group already exists at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.addGroup(ApplicationServiceGeneric.java:719) at com.atlassian.crowd.embedded.core.CrowdServiceImpl.addGroup(CrowdServiceImpl.java:421) ... 507 more
Please work with your local security team or a specialist security forensics firm for further investigation, and contact Atlassian Support for additional assistance.
My instance has been compromised, what should I do?
We strongly recommend involving your local security team for further investigation. If it is determined that your Confluence Server/DC instance has been compromised, our advice is to immediately shut down and disconnect the server from the network/Internet. Also, you may want to immediately shut down any other systems which potentially share a user base or have common username/password combinations with the compromised system.
Before doing anything else you will need to work with your local security team to identify the scope of the breach and your recovery options. If your Confluence instances have been compromised by CVE-2023-22515, threat attackers hold full administrative access and can perform any number of unfettered actions including - but not limited to - exfiltration of content and system credentials, and installation of malicious plugins.
If you believe your Confluence instance was compromised, contact Atlassian Support as Atlassian assistance is required to recover and protect your instance. Please include web server access logs (with the IP address of the attacker) in the data that is provided for further investigation.
Are other Atlassian products affected by this vulnerability?
No, they are not affected by CVE-2023-22515. No action is required for other products.