-
Public Security Vulnerability
-
Resolution: Fixed
-
Highest
-
8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.1, 8.1.3, 8.2.1, 8.1.4, 8.2.2, 8.2.3, 8.3.1, 8.3.2, 8.4.1, 8.4.2, 8.5.1
-
None
-
10
-
Critical
-
CVE-2023-22515
-
Customer Report
-
an Atlassian customer
-
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
-
BASM (Broken Authentication & Session Management)
-
Confluence Data Center, Confluence Server
Summary of Vulnerability
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.
Atlassian Cloud sites are not affected by this vulnerability.
If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Affected Versions
Versions prior to 8.0.0 are not affected by this vulnerability.
| Product | Affected Versions |
|---|---|
| Confluence Data Center and Confluence Server |
|
Fixed Versions
| Product | Fixed Versions |
|---|---|
| Confluence Data Center Confluence Server |
|
What You Need to Do
For affected versions, we strongly recommend:
- Upgrading to the fixed versions of Confluence Server or Data Center.
- If unable to upgrade promptly, implement mitigations (refer to the Mitigations section in the full advisory).
- Engaging your security team and check for indicators of compromise (refer to the Threat Detection section in the full advisory).
For additional details, please see the full advisory here: https://confluence.atlassian.com/display/SECURITY/CVE-2023-22515+-+Broken+Access+Control+Vulnerability+in+Confluence+Data+Center+and+Server
[CONFSERVER-92475] Broken Authentication & Session Management in Confluence Data Center and Server - CVE-2023-22515
bed70bc66ca8 Please open a support request and we will assist you there.
We are under impact of this issue. Random individual from Vietnam (hiddleston071990@gmail.com
) seem to have unauthorized access to our confluence server, and able to send emails to our internal personnel who have recent access to Confluence.
Hi Tobias,
We are currently on 8.0.3 with the /setup/* blocked, not able to upgrade to the latest as we don't have a current maintenance plan in place. Given the Confluence server version is going to the end of its lifespan. We are not looking at renewing the plan.
We were on 8.5.1 with "/setup/*" blocked, which clearly didn't mitigate the DoS.
Hi Tobias,
8.5.1 with the mitigation in place, resulted in issues on 2 environments.
Removed the web.xml change and upgraded to 8.5.2 instead, seems to be OK so far.
Thanks,
Tommy
We are using v8.1.1 and yes, we added the code <security-constraint>...
We had to block every external IP - except our own - so that we could continue working. Of course, that blocks our customers.
Hello Alwyn, Thomas, Nathan and Tommy, are you using Confluence 8.5.2 or have you blocked /setup/* on a vulnerable instance?
Same issues as Alwyn, Confluence works for a couple of days and then suddenly redirects to finishsetup.action. A restart resolves it (for a while)
We had to restart the server 4 times in the last 3 hours.
This seems to occur after a hacking attempt.
You should also block /server-info.action. Here's my sample nginx proxy rule:
location ~ /(setup|server-info.action) { return 444; }