A essential privilege-escalation vulnerability in Atlassian Confluence Server and Confluence Knowledge Heart has been disclosed, with proof of exploitation within the wild as a zero-day bug.
The flaw (CVE-2023-22515) impacts on-premises situations of the platforms, in variations 8.0.0 and after.
“Atlassian has been made conscious of a problem reported by a handful of consumers the place exterior attackers could have exploited a beforehand unknown vulnerability in publicly accessible Confluence Knowledge Heart and Server situations to create unauthorized Confluence administrator accounts and entry Confluence situations,” in response to Atlassian’s advisory on CVE-2023-22515, launched late on Oct. 4.
Atlassian did not present a CVSSv3 rating, however in response to its inner severity degree scores, the rating can be within the vary of 9 to 10.
The stakes are excessive. Many organizations use Confluence for challenge administration and collaboration amongst groups scattered throughout on-premises and distant areas. Typically Confluence environments can home delicate knowledge on each inner tasks in addition to its clients and companions.
An Uncommon Vital Ranking: Remotely Exploitable Privilege Escalation?
The essential designation is a reasonably uncommon one for privilege escalation points, Rapid7 researcher Caitlin Condon identified in an alert on the Confluence bug.
Nonetheless, the Atlassian advisory goes on to notice that “situations on the general public Web are significantly in danger, as this vulnerability is exploitable anonymously,” indicating that it is remotely exploitable, she defined — a uncommon state of affairs. She famous that the essential ranking is “usually extra according to an authentication bypass or distant code-execution chain than a privilege-escalation situation by itself.”
Nonetheless, Condon added, “It is doable that the vulnerability might permit an everyday consumer account to raise to admin — notably, Confluence permits for brand spanking new consumer sign-ups with no approval, however this function is disabled by default.”
Patch Now: Confluence a Prime Goal for Cyberattackers
Atlassian has issued a patch; fastened variations are: 8.3.3 or later; 8.4.3 or later; and eight.5.2 (Lengthy Time period Assist launch) or later.
So far as different safety choices, Atlassian would not specify the place the bug resides or some other technical particulars, although it does notice that recognized assault vectors may be mitigated by blocking entry to the /setup/* endpoints on Confluence situations, which is an efficient indicator of the place the issue resides.
Admins ought to limit exterior community entry to susceptible programs till they are often upgraded, and Atlassian recommends checking all affected Confluence situations for the symptoms of compromise (IoCs) listed within the advisory.
Patching must be top-of-mind; Atlassian is a recognized goal for cyberattackers, as evidenced by the present zero-day exploitation, however there’s additionally additional precedent. In June 2022, Atlassian disclosed one other essential zero-day vulnerability affecting Confluence Server and Knowledge Heart (CVE-2022-26134), this one a extra typical distant code execution vulnerability. Proof-of-concept scripts and mass exploitation rapidly adopted the disclosure, peaking at 100,000 exploitation makes an attempt each day.
