FAQ for CVE-2023-22522
A critical severity Remote Code Execution (RCE) vulnerability was discovered in the Confluence Server and Data Center (CVE-2023-22522).
This page contains answers to frequently asked questions about this vulnerability. The Atlassian Security Team will update this page whenever new information becomes available.
Is my Confluence instance affected?
All versions of Confluence Data Center and Server since version 4.0.0 are affected by this vulnerability. This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker is able to achieve Remote Code Execution (RCE) on an affected instance.
Atlassian strongly recommends patching vulnerable installations to one of the listed fixed versions (or the latest version) below:
Confluence Data Center and Confluence Server
Confluence Data Center
Note: Starting from Confluence 8.6, new Confluence releases support only Data Center licenses. If you are upgrading to version 8.6 or later, please make sure you have a valid Data Center license.
Are Cloud instances affected?
Atlassian Cloud Instances are not affected by CVE-2023-22522. If your Confluence site is accessed via an
atlassian.net domain, it is hosted by Atlassian and is not exposed to this vulnerability.
Are other Atlassian products affected by this vulnerability?
Based on current information, other Atlassian products are not affected by CVE-2023-22522. No action is required for other products to address this vulnerability. Please check the Atlassian Security Advisories page for other recent security advisories that might affect other Atlassian products you use.
My instance is NOT connected to the internet, what should I do?
If the Confluence instance cannot be accessed from the internet the risk of risk of exploitation is reduced, but not completely mitigated.
We still strongly recommend applying the latest patch, as listed on the Confluence Security Advisory page for CVE-2023-22522.
I do not allow anonymous access on my public instance.
This is an authenticated remote code execution vulnerability. Therefore the risk is reduced, if anonymous access is not allowed, as a potential attacker would need to find a way to authenticate on the instance.
Nevertheless, we still strongly recommend applying the latest patch, as listed on the Confluence Security Advisory page for CVE-2023-22522.
My instance isn't exposed to the Internet. Is an upgrade still recommended?
Yes! Instances that are not exposed to the public internet will have a reduced attack surface against CVE-2023-22522, but we strongly recommend applying the relevant patch.
I am running an affected version of Confluence. What should I do until I am able to patch it?
For customers who are unable to immediately patch their Confluence Data Center and Server instances, we recommend the following steps to reduce the risk:
1. Take your system off the internet immediately
2. Back up the data of the instance to a secure location outside of the Confluence instance.
3. Engage your local security team to review for any potential malicious activity.
For guidance on backing up Confluence, please refer to Production Backup Strategy | Confluence Data Center and Server 8.6 | Atlassian Documentation
Will the fix be included in non-EOL, non-LTS Confluence versions (e.g. 7.20.x)?
As per our policy, Atlassian will backport fixes for any version that is designated as a Long Term Support (LTS) release that hasn't reached end of life (e.g. Confluence 7.19.x, Confluence 8.5.x).
Additionally, Atlassian will backport critical security fixes to all feature versions released within 6 months of the date the security-fix is released. For example, Confluence 7.20 was released in October 2022. As it has been more than 6 months since that version was released, the fix will not be backported to Confluence 7.20.
More information is available on Atlassian's security bug fix policy document.
Are there any IOCs (Indicators of Compromise) for the exploit regarding CVE-2023-22522?
The possibility of multiple entry points, along with chained attacks, makes it difficult to list all possible indicators of compromise.
Customers must take immediate action to protect their Confluence instances.
As outlined on CVE-2023-22522, it is strongly recommended that vulnerable instances be patched to the latest Long Term Support (LTS) release (or the latest version that contains the fix) immediately.
Does CVE-2023-22522 impact configured application tunnels or application links?
There is no impact on the application tunnel or application links.
What if I don’t have a local security team?
We recommend engaging a specialist security firm for further investigation.