Atlassian, a leading provider of software development and collaboration tools, has recently disclosed a critical security vulnerability affecting its Confluence Data Center and Server products. The vulnerability, identified as CVE-2023-22518, allows unauthenticated remote attackers to create unauthorized Confluence administrator accounts and access Confluence instances.
This could result in significant data loss, ransomware infection, or other malicious activities. In this article, we will explain what the vulnerability is, how it is being exploited, and what you can do to protect your Confluence servers.
Contents
What is CVE-2023-22518?
CVE-2023-22518 is a broken access control vulnerability that affects certain versions of Confluence Data Center and Server, ranging from 8.0.0 to 8.5.1. The vulnerability exists due to a flaw in the Confluence server’s configuration that allows attackers to change the setup status and use the /setup/setupadministrator.action endpoint to create a new administrator user. This bypasses the authentication and authorization mechanisms of Confluence and grants the attacker full access to the Confluence instance.
Andrew Morris shared a post on Twitter:
novel confluence auth bypass is happening in the wild re: CVE-2023-22518 https://t.co/3UirShUG2u pic.twitter.com/VMawNmaLSh
— Andrew Morris (@Andrew___Morris) November 5, 2023
How is CVE-2023-22518 Being Exploited?
According to various security reports, CVE-2023-22518 is being actively exploited by threat actors in the wild. The exploitation attempts started shortly after Atlassian released a security advisory for the vulnerability on October 31, 2023.
The attackers are using automated scripts to scan the internet for vulnerable Confluence servers and exploit them to create malicious administrator accounts.
Some of the attacks have resulted in the deployment of Cerber ransomware, which encrypts the files on the compromised Confluence server and demands a ransom for their decryption. Other attacks may have different objectives, such as stealing sensitive data, installing backdoors, or spreading to other systems on the network.
Take a look at some additional recently published content from us:
- Microsoft 365 Vulnerabilities: What You Need to Know and How to Protect Yourself
- How to Fix Microsoft Store 0x8d050003 Error Code on Windows 11/10?
What Can You Do to Protect Your Confluence Servers?
The best way to protect your Confluence servers from CVE-2023-22518 is to apply the upgrades provided by Atlassian as soon as possible. Atlassian has released fixed versions of Confluence Data Center and Server for each affected version.
You can download the latest version of Confluence from the Atlassian website. Alternatively, you can use the in-product update feature to upgrade your Confluence server. You should also check the integrity of your Confluence database and backup files, as they may have been tampered with by the attackers.
If you cannot upgrade your Confluence server immediately, Atlassian has provided some interim measures to temporarily mitigate the known attack vectors. However, these measures are not guaranteed to prevent all possible exploitation scenarios, and they may affect the functionality of your Confluence server
Therefore, you should only use them as a last resort and upgrade your Confluence server as soon as possible. The interim measures are:
- Blocking access to the /setup/setupadministrator.action endpoint on your Confluence server using a firewall, proxy, or web server configuration.
- Disabling the Confluence Setup Wizard by setting the system property confluence.setupwizard.enabled to false in the <confluence-install>/confluence/WEB-INF/classes/confluence-init.properties file.
- Enabling the Confluence Security Configuration by setting the system property confluence.security.admin.disabled to false in the <confluence-install>/confluence/WEB-INF/classes/confluence-init.properties file.
You should also monitor your Confluence server logs and network traffic for any signs of suspicious activity, such as unauthorized administrator accounts, unusual requests, or ransomware messages. If you detect any potential compromise, you should follow the incident response recommendations provided by Atlassian. These include:
- Taking your Confluence server offline and isolating it from the network.
- Restoring your Confluence server from a known good backup.
- Changing the passwords of all Confluence users, especially administrators.
- Reporting the incident to Atlassian Support and law enforcement authorities.
Conclusion
CVE-2023-22518 is a serious vulnerability that affects many Confluence Data Center and Server customers. It allows unauthenticated remote attackers to create unauthorized Confluence administrator accounts and access Confluence instances.
The vulnerability is being actively exploited by threat actors in the wild, who are using it to deploy ransomware or perform other malicious activities. To protect your Confluence servers from CVE-2023-22518, you should upgrade to the latest fixed version of Confluence as soon as possible.
If you cannot upgrade immediately, you should apply the interim measures provided by Atlassian and monitor your Confluence server for any signs of compromise.
If you suspect that your Confluence server has been compromised, you should follow the incident response recommendations provided by Atlassian and report the incident to Atlassian Support and law enforcement authorities.
