CVE-2023-22518 - Improper Authorization Vulnerability In Confluence Data Center and Server
CVE-2023-22518 - Improper Authorization Vulnerability in Confluence Data Center and Server
| Summary | CVE-2023-22518 - Improper Authorization Vulnerability in Confluence Data Center and Server |
| Advisory Release Date | Tues, Oct 31 2023 00:00 ET |
| Products |
|
| CVE ID | CVE-2023-22518 |
| Related Jira Ticket(s) |
Updates
This advisory has been updated since the initial publication.
Summary of Vulnerability
As part of Atlassian's ongoing monitoring and investigation of this CVE, we observed several active exploits and reports of threat actors using ransomware. We have escalated CVE-2023-22518 from CVSS 9.1 to 10, the highest critical rating, due to the change in the scope of the attack. Please review the Threat Detection section on this page for additional details.
All versions of Confluence Data Center and Server are affected by this vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to a full loss of confidentiality, integrity and availability.
Publicly accessible Confluence Data Center and Server versions as listed below are at critical risk and require immediate attention. See ‘What You Need to Do’ for detailed instructions.
Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Severity
Atlassian rates the severity level of this vulnerability as critical (10 with the following vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) per our internal assessment.
This is our assessment, and you should evaluate its applicability to your own IT environment.
Affected Versions
This Improper Authorization vulnerability affects all versions prior to the listed fix versions of Confluence Data Center and Server. Atlassian recommends patching to the fixed LTS version or later.
| Product | Affected Versions |
|---|---|
| Confluence Data Center and Server | All versions are affected |
What You Need To Do
Immediately patch to a fixed version
Atlassian recommends that you patch each of your affected installations to one of the listed fixed versions (or the latest version) below.
| Product | Fixed Versions |
|---|---|
| Confluence Data Center and Server |
|
Apply temporary mitigations if unable to patch
- Back up your instance. (Instructions: https://confluence.atlassian.com/doc/production-backup-strategy-38797389.html)
- Remove your instance from the internet until you can patch, if possible. Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch.
- If you cannot restrict external network access or patch, apply the following interim measures to mitigate known attack vectors by blocking access on the following endpoints on Confluence instances:
/json/setup-restore.action/json/setup-restore-local.action/json/setup-restore-progress.action
This is possible at the network layer or by making the following changes to Confluence configuration files.
1. On each node, modify /<confluence-install-dir>/confluence/WEB-INF/web.xml and add the following block of code (just before the </web-app> tag at the end of the file):
<security-constraint>
<web-resource-collection>
<url-pattern>/json/setup-restore.action</url-pattern>
<url-pattern>/json/setup-restore-local.action</url-pattern>
<url-pattern>/json/setup-restore-progress.action</url-pattern>
<http-method-omission>*</http-method-omission>
</web-resource-collection>
<auth-constraint />
</security-constraint>
2. Restart Confluence.
Note: These mitigation actions are limited and not a replacement for patching your instance; you must patch as soon as possible
Threat detection
Atlassian cannot confirm if your instances have been affected by this vulnerability. You should engage your local security team to check all affected Confluence instances for evidence of compromise.
Evidence of compromise may include:
- loss of login access to the instance
- requests to
/json/setup-restore*in network access logs - installed unknown plugins
- we've observed reports of a malicious plugin named web.shell.Plugin
- encrypted files or corrupted data
unexpected members of the
confluence-administratorsgroupunexpected newly created user accounts
If any evidence is found, you should assume that your instance has been compromised and follow your security incident response plan.
Frequently Asked Questions (FAQ)
More details can be found at the Frequently Asked Questions (FAQ) page.
Support
If you did not receive an email for this advisory, and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
References
| Security Bug Fix Policy | As per our new policy critical security bug fixes will be back ported. We will release new maintenance releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released. |
| Security Levels for Security Issues | Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. |
| End of Life Policy | Our end of life policy varies for different products. Please refer to our EOL Policy for details. |