-
Public Security Vulnerability
-
Resolution: Fixed
-
Highest
-
8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.1, 8.1.3, 8.2.1, 8.1.4, 8.2.2, 8.2.3, 8.3.1, 8.3.2, 8.4.1, 8.4.2, 8.5.1
-
None
-
10
-
Critical
-
CVE-2023-22515
-
Customer Report
-
an Atlassian customer
-
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
-
BASM (Broken Authentication & Session Management)
-
Confluence Data Center, Confluence Server
Summary of Vulnerability
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.
Atlassian Cloud sites are not affected by this vulnerability.
If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Affected Versions
Versions prior to 8.0.0 are not affected by this vulnerability.
| Product | Affected Versions |
|---|---|
| Confluence Data Center and Confluence Server |
|
Fixed Versions
| Product | Fixed Versions |
|---|---|
| Confluence Data Center Confluence Server |
|
What You Need to Do
For affected versions, we strongly recommend:
- Upgrading to the fixed versions of Confluence Server or Data Center.
- If unable to upgrade promptly, implement mitigations (refer to the Mitigations section in the full advisory).
- Engaging your security team and check for indicators of compromise (refer to the Threat Detection section in the full advisory).
For additional details, please see the full advisory here: https://confluence.atlassian.com/display/SECURITY/CVE-2023-22515+-+Broken+Access+Control+Vulnerability+in+Confluence+Data+Center+and+Server
[CONFSERVER-92475] Broken Authentication & Session Management in Confluence Data Center and Server - CVE-2023-22515
bed70bc66ca8 Please open a support request and we will assist you there.
We are under impact of this issue. Random individual from Vietnam (hiddleston071990@gmail.com
) seem to have unauthorized access to our confluence server, and able to send emails to our internal personnel who have recent access to Confluence.
Hi Tobias,
We are currently on 8.0.3 with the /setup/* blocked, not able to upgrade to the latest as we don't have a current maintenance plan in place. Given the Confluence server version is going to the end of its lifespan. We are not looking at renewing the plan.
We were on 8.5.1 with "/setup/*" blocked, which clearly didn't mitigate the DoS.
Hi Tobias,
8.5.1 with the mitigation in place, resulted in issues on 2 environments.
Removed the web.xml change and upgraded to 8.5.2 instead, seems to be OK so far.
Thanks,
Tommy
We are using v8.1.1 and yes, we added the code <security-constraint>...
We had to block every external IP - except our own - so that we could continue working. Of course, that blocks our customers.
Hello Alwyn, Thomas, Nathan and Tommy, are you using Confluence 8.5.2 or have you blocked /setup/* on a vulnerable instance?
Same issues as Alwyn, Confluence works for a couple of days and then suddenly redirects to finishsetup.action. A restart resolves it (for a while)
We had to restart the server 4 times in the last 3 hours.
This seems to occur after a hacking attempt.
I saw the same issue as Nathan mentioned in his comment. After taking the mitigation approach, the users get redirected to `/setup/finishsetup.action` endpoint which was blocked. No one can access Confluence server.
Confirming that we were definitely impacted by the additional access path in server-info.action - however, it appears that portion of it was only able to "break" our instance causing all accesses to get redirected to the "disabled /setup/*" paths.
4e81381d415c Our guidance regarding CVE-2023-22515 remains unchanged, and we strongly encourage customers to upgrade their instance immediately. If that’s not possible, customers can follow the mitigations listed in the advisory as an interim measure or remove their instance from the internet until they’re able to upgrade.
For background, CVE-2023-22515 is classified as CVSS 10, the highest critical rating, which indicates customers must patch or upgrade as soon as possible. The vector string that informed the CVSS 10 rating is publicly available and transparent of the associated risk. If you have additional questions, please raise a support ticket and we will be happy to assist.
Rapid7 article: https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/
Based on our analysis, it's likely that there are other avenues of attack in addition to the creation of a new admin user. Notably, our team leveraged the /server-info.action endpoint, which Atlassian did not mention in their IOCs.
Can someone clarify this note?
There's some online blog chatter that I'm not sure I should link here, but the /setup endpoint is not the only entry point, and I hope Atlassian updates their Advisory and recommendations.
Please see the advisory page, https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html
Atlassian has updated this page stating that versions prior to 8.0 are not affected.
I assume LTS v7.19.11 is unaffected. Please correct this assumption if that is not the case. Thank You
it1776091596 You can upgrade to one of the fix versions using the current helm chart. All you need is to set image.tag to the version you want to upgrade.
3aa35a130e96 65f4a4d2f9eb Versions prior to 8.0.0 are not affected by this vulnerability, I've updated the advisory & ticket to reflect this. You're both correct. Thank you
Since we are planning an update to LTS 7.19.14 on Sunday, it would be good to know whether this version is actually not affected!
Based on the information provided I assume LTS v7.19.14 is unaffected. Please correct this assumption if that is not the case. Thank You
You should also block /server-info.action. Here's my sample nginx proxy rule:
location ~ /(setup|server-info.action) { return 444; }