Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-93142

Improper Authorization in Confluence Data Center and Server - CVE-2023-22518

      Summary of Vulnerability

      Nov 6 Update:

      As part of Atlassian's ongoing monitoring and investigation of this CVE, we observed several active exploits and reports of threat actors using ransomware. We have escalated CVE-2023-22518 from CVSS 9.1 to 10, the highest critical rating, due to the change in the scope of the attack. Please review the Threat Detection section on this page for additional details.

      Nov 3 Update: 

      We received a customer report of an active exploit. Customers must take immediate action to protect their instances. If you already applied the patch, no further action is required.

      Nov 2 Update:

      As part of Atlassian's ongoing monitoring of this CVE, we observed publicly posted critical information about the vulnerability which increases risk of exploitation. There are still no reports of an active exploit, though customers must take immediate action to protect their instances. If you already applied the patch, no further action is required.

      Oct 31 Original:
      An Important Message from Bala Sathiamurthy, Chief Information Security Officer (CISO)

      As part of our continuous security assessment processes, we have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker. There are no reports of active exploitation at this time; however, customers must take immediate action to protect their instances. Please read the Critical Security Advisory below for instructions and vulnerability details.

      Protecting customers' instances is our top priority, and our prompt response demonstrates our dedication to ensuring the safety of our customers and your data. Atlassian is always reviewing security measures to reduce security risks and support our customers in taking timely action. Customers can expect to receive high-priority patches outside of our monthly advisory schedule as necessary. We believe that taking proactive action is the best approach and we appreciate your ongoing partnership.

      All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to - but not limited to - full loss of confidentiality, integrity and availability. 

      Publicly accessible Confluence Data Center and Server versions as listed below are at critical risk and require immediate attention. See ‘What You Need to Do’ for detailed instructions.

      Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

      This critical severity Improper Authorization vulnerability known as CVE-2023-22518 affects all versions prior to the listed fix versions of Confluence Data Center and Server. Versions outside of the support window (i.e. versions that have reached End of Life) may also be affected, so Atlassian recommends you upgrade to a fixed LTS version or later.

      Affected Versions

      Product Affected Versions
      Confluence Data Center
      Confluence Server
      All versions are affected

      Fixed Versions

      Product Fixed Versions
      Confluence Data Center
      Confluence Server
      • 7.19.16
      • 8.3.4 
      • 8.4.4
      • 8.5.3
      • 8.6.1 

      What You Need to Do

      Atlassian recommends that you upgrade your instance to one of the versions listed in the “Fixed Versions” table section of this ticket. For full descriptions of the above versions of Confluence Data Center and Server, see the release notes. You can download the latest version of Confluence Data Center and Server from the download center.

      Apply temporary mitigations if unable to patch

      1. Back up your instance. (Instructions: https://confluence.atlassian.com/doc/production-backup-strategy-38797389.html)
      2. Remove your instance from the internet until you can patch, if possible. Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch.
      3. If you cannot restrict external network access or patch, apply the following interim measures to mitigate known attack vectors by blocking access on the following endpoints on Confluence instances:
        • /json/setup-restore.action
        • /json/setup-restore-local.action
        • /json/setup-restore-progress.action
      • 1. This is possible at the network layer or by making the following changes to Confluence configuration files.
        On each node, modify /<confluence-install-dir>/confluence/WEB-INF/web.xml and add the following block of code (just before the </web-app> tag at the end of the file):
      <security-constraint>
              <web-resource-collection>
                  <url-pattern>/json/setup-restore.action</url-pattern>
                  <url-pattern>/json/setup-restore-local.action</url-pattern>
                  <url-pattern>/json/setup-restore-progress.action</url-pattern>
                  <http-method-omission>*</http-method-omission>
              </web-resource-collection>
          <auth-constraint />
      </security-constraint>
      • 2. Restart Confluence.

      Note: These mitigation actions are limited and not a replacement for patching your instance; you must patch as soon as possible

       

      For additional details, please refer to the full advisory: https://confluence.atlassian.com/display/SECURITY/CVE-2023-22518+-+Improper+Authorization+Vulnerability+in+Confluence+Data+Center+and+Server 

            [CONFSERVER-93142] Improper Authorization in Confluence Data Center and Server - CVE-2023-22518

            Jasmine Möller added a comment - - edited

            Ahmed ElSayed: As a general rule - if you have any indication your installation has been compromised by any means, you must reset your installation. Patches usually only help to prevent the initial exploit to happen, once you have been hacked, they won't help. If I read the article correctly, the exploit still needs CVE-2023-22515 which if unpatched will give you admin priviledge on your instance - once that has happened all bets are off. I wouldn't consider this to be a new exploit.

            Jasmine Möller added a comment - - edited Ahmed ElSayed: As a general rule - if you have any indication your installation has been compromised by any means, you must reset your installation. Patches usually only help to prevent the initial exploit to happen, once you have been hacked, they won't help. If I read the article correctly, the exploit still needs CVE-2023-22515 which if unpatched will give you admin priviledge on your instance - once that has happened all bets are off. I wouldn't consider this to be a new exploit.

            Hi,

            Is there any info. regarding that article claims ?

            https://www.theregister.com/2023/11/14/novel_backdoor_persists_confluence/

            Ahmed ElSayed added a comment - Hi, Is there any info. regarding that article claims ? https://www.theregister.com/2023/11/14/novel_backdoor_persists_confluence/

            Hi arestaut,

            We are having the same errors as yourself.
            When we try this in non-prod, our instance is not coming up at all.

            Did you face the same problem? or you are able to bring up the application with these changes successfully?

            Manjunath MP added a comment - Hi arestaut, We are having the same errors as yourself. When we try this in non-prod, our instance is not coming up at all. Did you face the same problem? or you are able to bring up the application with these changes successfully?

            arestaut added a comment -

            Hello Atlassian team,

            No update on my comments about the proposed mitigation that seems uneffective?

            arestaut added a comment - Hello Atlassian team, No update on my comments about the proposed mitigation that seems uneffective?

            dmitrydranitski added a comment - - edited

            Hi everyone. Since many articles say that "the vulnerability cannot be used for data leakage", that is not 100% true.

            We noticed that when you reset confluence with this CVE the %CONFLUENCE_HOME%/attachments directory is still full of files, there may be thousands of them. It is pretty easy to extract all of them and then determine their extensions with Linux `file` command.

            For example:

            file /var/lib/confluence/attachments/v4/191/28/77273124/77273124.1
            /var/lib/confluence/attachments/v4/191/28/77273124/77273124.1: PNG image data, 442 x 170, 8-bit/color RGBA, non-interlaced

            We are not sure that the hackers do steal the files before running the ransomware and crypting the files, but you can investigate network activity to see any outbound traffic in your particular case.

            dmitrydranitski added a comment - - edited Hi everyone. Since many articles say that "the vulnerability cannot be used for data leakage", that is not 100% true. We noticed that when you reset confluence with this CVE the %CONFLUENCE_HOME%/attachments directory is still full of files, there may be thousands of them. It is pretty easy to extract all of them and then determine their extensions with Linux `file` command. For example: file /var/lib/confluence/attachments/v4/191/28/77273124/77273124.1 /var/lib/confluence/attachments/v4/191/28/77273124/77273124.1: PNG image data, 442 x 170, 8-bit/color RGBA, non-interlaced We are not sure that the hackers do steal the files before running the ransomware and crypting the files, but you can investigate network activity to see any outbound traffic in your particular case.

            arestaut added a comment - - edited

            That's exactly my understanding, but it's difficult to make sure:

            • That's why I'm asking directly here.
            • If the provided mitigation does the exact opposit (remove all access methods from protection) of what is needed here, it's kind of serious, isn't it ?

            Please @Atlassian team, can you confirm the mitigation steps are correct ?

            arestaut added a comment - - edited That's exactly my understanding, but it's difficult to make sure: That's why I'm asking directly here. If the provided mitigation does the exact opposit (remove all access methods from protection) of what is needed here, it's kind of serious, isn't it ? Please @Atlassian team, can you confirm the mitigation steps are correct ?

            Jasmine Möller added a comment - - edited

            @arestaut: Indeed from my understanding it looks like this block would remove all access methods from protection, which is probably not the intended result - shouldn't it be just

            <http-method>*</http-method>
            

            or just no specification whatsoever?

            See https://javaee.github.io/tutorial/security-webtier002.html

            • http-method or http-method-omission is used to specify which methods should be protected or which methods should be omitted from protection. An HTTP method is protected by a web-resource-collection under any of the following circumstances:
            • If no HTTP methods are named in the collection (which means that all are protected)
            • If the collection specifically names the HTTP method in an http-method subelement
            • If the collection contains one or more http-method-omission elements, none of which names the HTTP method

             

            Jasmine Möller added a comment - - edited @arestaut: Indeed from my understanding it looks like this block would remove all access methods from protection, which is probably not the intended result - shouldn't it be just <http-method>*</http-method> or just no specification whatsoever? See https://javaee.github.io/tutorial/security-webtier002.html http-method  or  http-method-omission  is used to specify which methods should be protected or which methods should be omitted from protection. An HTTP method is protected by a  web-resource-collection  under any of the following circumstances: If no HTTP methods are named in the collection (which means that all are protected) If the collection specifically names the HTTP method in an  http-method  subelement If the collection contains one or more  http-method-omission  elements, none of which names the HTTP method  

            Hi Atlassian Team,

            We have upgraded our Confluence in 7.19.16. Please confirm, our Confluence is safe from this vulnerability ''CVE-2023-22518'' now ? or do we need to take any more action? For eg: need to add any patch or something.

            Also, after upgrade any plugin is vulnerable or Confluence is vulnerable due to any plugin?

            Please confirm.

            Thanks,
            Amit

            Amit Srivastava added a comment - Hi Atlassian Team, We have upgraded our Confluence in 7.19.16. Please confirm, our Confluence is safe from this vulnerability ''CVE-2023-22518'' now ? or do we need to take any more action? For eg: need to add any patch or something. Also, after upgrade any plugin is vulnerable or Confluence is vulnerable due to any plugin? Please confirm. Thanks, Amit

            arestaut added a comment - - edited

            Hello,

            Outdated Confluence Server admin here. I tried to apply the "interim measures to mitigate" and patched my web.xml file. Then restarted the Confluence Tomcat, and here is what I found in the atlassian-confluence.log:

            2023-11-08 10:22:08,629 ERROR [localhost-startStop-2] [ContainerBase.[Standalone].[localhost].[/Confluence]] log For security constraints with URL pattern [/json/setup-restore.action] the HTTP methods [*] are uncovered.
            2023-11-08 10:22:08,632 ERROR [localhost-startStop-2] [ContainerBase.[Standalone].[localhost].[/Confluence]] log For security constraints with URL pattern [/json/setup-restore-progress.action] the HTTP methods [*] are uncovered.
            2023-11-08 10:22:08,632 ERROR [localhost-startStop-2] [ContainerBase.[Standalone].[localhost].[/Confluence]] log For security constraints with URL pattern [/json/setup-restore-local.action] the HTTP methods [*] are uncovered. 

            I tried to look for the <http-method-omission> possible values on the web and couldn't find anything relevant.

            Can you confirm the mitigation listed on top of this issue is working ? Is it normal I have these ERROR in my log?

            arestaut added a comment - - edited Hello, Outdated Confluence Server admin here. I tried to apply the " interim measures to mitigate " and patched my web.xml file. Then restarted the Confluence Tomcat, and here is what I found in the atlassian-confluence.log: 2023-11-08 10:22:08,629 ERROR [localhost-startStop-2] [ContainerBase.[Standalone].[localhost].[/Confluence]] log For security constraints with URL pattern [/json/setup-restore.action] the HTTP methods [*] are uncovered. 2023-11-08 10:22:08,632 ERROR [localhost-startStop-2] [ContainerBase.[Standalone].[localhost].[/Confluence]] log For security constraints with URL pattern [/json/setup-restore-progress.action] the HTTP methods [*] are uncovered. 2023-11-08 10:22:08,632 ERROR [localhost-startStop-2] [ContainerBase.[Standalone].[localhost].[/Confluence]] log For security constraints with URL pattern [/json/setup-restore-local.action] the HTTP methods [*] are uncovered. I tried to look for the <http-method-omission> possible values on the web and couldn't find anything relevant. Can you confirm the mitigation listed on top of this issue is working ? Is it normal I have these ERROR in my log?

            Can somebody please explain - for 4 or more years issue was not found.

            Then it is found and after few days, someone has used this vulnerability.

            Conclusion  - this was an advertisement? Seriously, I am confused.

            Sandra Priedīte added a comment - Can somebody please explain - for 4 or more years issue was not found. Then it is found and after few days, someone has used this vulnerability. Conclusion  - this was an advertisement? Seriously, I am confused.

              Unassigned Unassigned
              3f077ebb50d9 Nicole Round
              Votes:
              0 Vote for this issue
              Watchers:
              141 Start watching this issue

                Created:
                Updated:
                Resolved: