CVE-2023-22515 - Broken Access Control Vulnerability in Confluence Data Center and Server

CVE-2023-22515 - Broken Access Control Vulnerability in Confluence Data Center and Server

SummaryCVE-2023-22515 - Broken Access Control Vulnerability in Confluence Data Center and Server
Advisory Release DateWed, Oct 4th 2023 06:00 PDT
Products
  • Confluence Data Center
  • Confluence Server
CVE IDCVE-2023-22515
Related Jira Ticket(s)



Updates

This advisory has been updated since the initial publication.

Changes since initial publication

Clarified Confluence versions prior to 8.0.0 are not affected.

2:20 PM UTC (Coordinated Universal Time, +0 hours)

Edited group name in Threat detection section to the correct one - confluence-administrators 

8.30 AM UTC (Coordinated Universal Time, +0 hours)

Clarified Category as Broken Access Control to align with OWASP definition.

9:35 PM UTC (Coordinated Universal Time, +0 hours)

Linked CVE ID to nvd.nist.gov website

3:00 PM UTC (Coordinated Universal Time, +0 hours)

Reinforcing actions required and additional “Threat Detection” support

3:00 PM UTC (Coordinated Universal Time, +0 hours)

Added new threat actor intelligence

21:45 PM UTC (Coordinated Universal Time, +0 hours)



Summary of Vulnerability

Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.

UPDATE: We have evidence to suggest that a known nation-state actor is actively exploiting CVE-2023-22515 and continue to work closely with our partners and customers to investigate.

Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

CVSS 10: URGENT ACTION REQUIRED

1. Upgrade your instance

2. Conduct comprehensive threat detection

Publicly accessible Confluence Data Center and Server versions as listed below are at critical risk and require immediate attention. See ‘What You Need to Do’ for detailed instructions.

Severity

Atlassian rates the severity level of this vulnerability as Critical CVSS 10, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment, and you should evaluate its applicability to your own IT environment.

Affected Versions

The Confluence Data Center and Server versions listed below are affected by this vulnerability. Customers using these versions should upgrade your instance as soon as possible.

Versions prior to 8.0.0 are not affected by this vulnerability.

ProductAffected Versions
Confluence Data Center and Confluence Server
  • 8.0.0
  • 8.0.1
  • 8.0.2
  • 8.0.3
  • 8.0.4
  • 8.1.0
  • 8.1.1
  • 8.1.3
  • 8.1.4
  • 8.2.0
  • 8.2.1
  • 8.2.2
  • 8.2.3
  • 8.3.0
  • 8.3.1
  • 8.3.2
  • 8.4.0
  • 8.4.1
  • 8.4.2
  • 8.5.0
  • 8.5.1


Fixed Versions

Atlassian recommends that you upgrade each of your affected installations to one of the listed fixed versions (or any later version) below.

ProductFixed Versions
Confluence Data Center and Confluence Server
  • 8.3.3 or later
  • 8.4.3 or later
  • 8.5.2 (Long Term Support release) or later

For a full description of the latest versions of Confluence Data Center and Confluence Server, see the release notes, here. You can download the latest version from the download center, here.


What You Need To Do

1. Upgrade to a fixed version. (See: Upgrade Instructions)

Customers with Confluence Data Center and Server instances accessible to the public internet including with user authentication, should restrict external network access until you can upgrade.

Alternatively, if you cannot restrict external network access or upgrade, apply the following interim measures to mitigate known attack vectors by blocking access to the /setup/* endpoints on Confluence instances. This is possible at the network layer or by making the following changes to Confluence configuration files.


  1. On each node, modify /<confluence-install-dir>/confluence/WEB-INF/web.xml  and add the following block of code (just before the </web-app> tag at the end of the file):

    <security-constraint>
          <web-resource-collection>
            <url-pattern>/setup/*</url-pattern>
    			<http-method-omission>*</http-method-omission>
    		</web-resource-collection>
          <auth-constraint />
    	</security-constraint>
  2. Restart Confluence.

This action will block access to setup pages that are not required for typical Confluence usage, for further details see the FAQ page below.

Note: These mitigation actions are limited and not a replacement for upgrading your instance; you must upgrade as soon as possible.

2. Threat detection

Atlassian cannot confirm if your instances have been affected by this vulnerability. You should engage your local security team to check all affected Confluence instances for evidence of compromise.

Evidence of compromise may include:

  • unexpected members of the confluence-administrators group

  • unexpected newly created user accounts

  • installed unknown plugins

  • requests to /setup/*.action in network access logs

  • presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory

If your Confluence instances have been compromised, these threat attackers hold full administrative access and can perform any number of unfettered actions including, exfiltration of content and system credentials, and installation of malicious plugins. If any evidence is found, you should assume that your instance has been compromised and follow your security incident response plan. 

Additionally, if you believe you were compromised,
please raise a support request as Atlassian assistance may be required to recover and protect your instance.


Frequently Asked Questions (FAQ)

More details can be found at the Frequently Asked Questions (FAQ) page.

Support

If you did not receive an email for this advisory, and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.

References

Security Bug Fix PolicyAs per our new policy critical security bug fixes will be back ported. We will release new maintenance releases for the versions covered by the policy instead of binary patches.
Binary patches are no longer released.
Severity Levels for Security IssuesAtlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.
End of Life PolicyOur end of life policy varies for different products. Please refer to our EOL Policy for details.
Last modified on Dec 19, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.