CVE-2023-22518 - Improper Authorization Vulnerability In Confluence Data Center and Server
CVE-2023-22518 - Improper Authorization Vulnerability in Confluence Data Center and Server
This advisory has been updated since the initial publication.
Updated CVSS score from 9.1 to 10, the summary of vulnerability, and added a threat detection section for suggested indicators of compromise.
Customer report of an active exploited added to heading.
Removed "or later" verbiage in fix versions table, only the listed fix versions are patched.
Updated "An Important Message from Bala Sathiamurthy, Chief Information Security Officer (CISO)" to articulate that as part of Atlassian's ongoing monitoring of this CVE, we observed publicly posted critical information about the vulnerability which increases risk of exploitation.
Added third option to "Apply temporary mitigations if unable to patch"
Linked CVE ID to NVD.gov website
Summary of Vulnerability
As part of Atlassian's ongoing monitoring and investigation of this CVE, we observed several active exploits and reports of threat actors using ransomware. We have escalated CVE-2023-22518 from CVSS 9.1 to 10, the highest critical rating, due to the change in the scope of the attack. Please review the Threat Detection section on this page for additional details.
We received a customer report of an active exploit. Customers must take immediate action to protect their instances. If you already applied the patch, no further action is required.
As part of Atlassian's ongoing monitoring of this CVE, we observed publicly posted critical information about the vulnerability which increases risk of exploitation. There are still no reports of an active exploit, though customers must take immediate action to protect their instances. If you already applied the patch, no further action is required.
An Important Message from Bala Sathiamurthy, Chief Information Security Officer (CISO)
As part of our continuous security assessment processes, we have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker. There are no reports of active exploitation at this time; customers to protect their instances. Please read the Critical Security Advisory below for instructions and vulnerability details.
Protecting customers' instances is our top priority, and our prompt response demonstrates our dedication to ensuring the safety of our customers and your data. Atlassian is always reviewing security measures to reduce security risks and support our customers in taking timely action. Customers can expect to receive high-priority patches outside of our monthly advisory schedule as necessary. We believe that taking proactive action is the best approach and we appreciate your ongoing partnership.
All versions of Confluence Data Center and Server are affected by this vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to a full loss of confidentiality, integrity and availability.
Publicly accessible Confluence Data Center and Server versions as listed below are at critical risk and require immediate attention. See ‘What You Need to Do’ for detailed instructions.
Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Atlassian rates the severity level of this vulnerability as critical (10 with the following vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) per our internal assessment.
This is our assessment, and you should evaluate its applicability to your own IT environment.
This Improper Authorization vulnerability affects all versions prior to the listed fix versions of Confluence Data Center and Server. Atlassian recommends patching to the fixed LTS version or later.
|Confluence Data Center and Server||All versions are affected|
What You Need To Do
Immediately patch to a fixed version
Atlassian recommends that you patch each of your affected installations to one of the listed fixed versions (or the latest version) below.
|Confluence Data Center and Server|
Apply temporary mitigations if unable to patch
- Back up your instance. (Instructions: https://confluence.atlassian.com/doc/production-backup-strategy-38797389.html)
- Remove your instance from the internet until you can patch, if possible. Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch.
- If you cannot restrict external network access or patch, apply the following interim measures to mitigate known attack vectors by blocking access on the following endpoints on Confluence instances:
This is possible at the network layer or by making the following changes to Confluence configuration files.
1. On each node, modify
/<confluence-install-dir>/confluence/WEB-INF/web.xml and add the following block of code (just before the
</web-app> tag at the end of the file):
<security-constraint> <web-resource-collection> <url-pattern>/json/setup-restore.action</url-pattern> <url-pattern>/json/setup-restore-local.action</url-pattern> <url-pattern>/json/setup-restore-progress.action</url-pattern> <http-method-omission>*</http-method-omission> </web-resource-collection> <auth-constraint /> </security-constraint>
2. Restart Confluence.
Note: These mitigation actions are limited and not a replacement for patching your instance; you must patch as soon as possible
Atlassian cannot confirm if your instances have been affected by this vulnerability. You should engage your local security team to check all affected Confluence instances for evidence of compromise.
Evidence of compromise may include:
- loss of login access to the instance
- requests to
/json/setup-restore*in network access logs
- installed unknown plugins
- we've observed reports of a malicious plugin named web.shell.Plugin
- encrypted files or corrupted data
unexpected members of the
unexpected newly created user accounts
If any evidence is found, you should assume that your instance has been compromised and follow your security incident response plan.
Frequently Asked Questions (FAQ)
More details can be found at the Frequently Asked Questions (FAQ) page.
If you did not receive an email for this advisory, and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
|Security Bug Fix Policy||As per our new policy critical security bug fixes will be back ported. We will release new maintenance releases for the versions covered by the policy instead of binary patches. |
Binary patches are no longer released.
|Security Levels for Security Issues||Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.|
|End of Life Policy||Our end of life policy varies for different products. Please refer to our EOL Policy for details.|