The servers and data centres of Atlassian's Confluence online collabaration platform have fallen victim to an actively exploited zero-day vulnerability. This critical security flaw, identified as CVE-2023-22515, poses a significant threat to Confluence Servers accessible to the public. Cybercriminals are exploiting this vulnerability to gain remote access to Confluence servers, creating unauthorized administrator accounts and potentially gaining unrestricted access to sensitive data.

The Scope of the Vulnerability

It's crucial to note that CVE-2023-22515 only affects Confluence versions 8.0.0 and later. Fortunately, Confluence sites accessed through atlassian.net domains remain unaffected by this security flaw.

Atlassian became aware of this critical issue following reports from a limited number of its customers. Responding swiftly to the threat, the company has released updates designed to address the vulnerability in various versions of Confluence servers, including:

• Version 8.3.3 or later • Version 8.4.3 or later • Version 8.5.2 (Long Term Support release) or later

Limited Information Disclosure

As of now, Atlassian has not publicly disclosed extensive information regarding the nature or scale of the exploitation, or the underlying cause of the vulnerability. This limited disclosure underscores the seriousness of the situation and the need for immediate action.

Immediate Mitigation Measures

For organisations unable to apply the updates provided by Atlassian right away, it is imperative to take swift action to mitigate the risk:

Restrict External Network Access:

Limit external network access to the affected servers to minimize exposure.

Block Specific Endpoints:

Block access to the /setup/* endpoints within Confluence servers. This can be achieved through network layer controls or specific configuration adjustments.

Indicators of Compromise (IoCs)

To assist organisations in assessing whether their on-premises Confluence servers have been compromised, Atlassian has shared the following Indicators of Compromise (IoCs):

• Unexpected members detected in the confluence-administrator group. • Unanticipated user accounts appearing within the Confluence system. • Records of requests to /setup/*.action within network access logs. • The presence of /setup/setupadministrator.action in an exception message discovered in atlassian-confluence-security.log within the Confluence home directory.

Emergency Response Protocol

In the unfortunate event that your Confluence Server or Data Centre instance has been compromised, Atlassian strongly advises the following actions:

Immediate Shutdown:

Immediately shut down and disconnect the compromised system from the network and the Internet to halt any ongoing unauthorised access.

Deactivate Shared Systems:

Promptly deactivate any other systems that share user bases or common username/password combinations with the compromised system. This precautionary step is vital to prevent lateral movement by cybercriminals.

This zero-day vulnerability in Atlassian Confluence demands immediate attention from organisations utilising this platform. It serves as a stark reminder of the ever-evolving landscape of cybersecurity threats. The critical need for swift, proactive measures to safeguard sensitive information cannot be overstated. Stay informed, act, and prioritise cybersecurity to protect your organisation from such threats.

Explore our subscription options to help protect your data here or if you have any further questions, get in touch with our cyber experts by clicking the button below.