Atlassian patches critical Confluence zero-day exploited in attacks

Australian software company Atlassian released emergency security updates to fix a maximum severity zero-day vulnerability in its Confluence Data Center and Server software, which has been exploited in attacks.

"Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances," the company said.

"Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue."

Tracked as CVE-2023-22515, this critical privilege escalation flaw affects Confluence Data Center and Server 8.0.0 and later and is described as being remotely exploitable in low-complexity attacks that don't require user interaction.

Customers using vulnerable Confluence Data Center and Server versions are advised to upgrade their instances as soon as possible to one of the fixed versions (i.e., 8.3.3 or later, 8.4.3 or later, 8.5.2 or later). 

Besides upgrading and applying mitigation measures, Atlassian also urges customers to shut down impacted instances or isolate them from Internet access if immediate patching isn't possible.

Administrators can remove known attack vectors associated with this vulnerability by preventing access to the /setup/* endpoints on Confluence instances.

"Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously," Atlassian added.

Admins advised to check for breach signs

The company also recommends checking all Confluence instances for indicators of compromise, including:

• unexpected members of the confluence-administrator group
• unexpected newly created user accounts
• requests to /setup/*.action in network access logs
• presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory

With the release of a patch, there is a heightened possibility that threat actors will bin-diff the released security patches to discover the patched weakness, potentially speeding up the creation of a usable exploit.

"If it is determined that your Confluence Server/DC instance has been compromised, our advice is to immediately shut down and disconnect the server from the network/Internet," Atlassian warned.

"Also, you may want to immediately shut down any other systems which potentially share a user base or have common username/password combinations with the compromised system."

Immediately securing Confluence servers is extremely important, considering their past attractiveness to malicious actors, with previous incidents involving AvosLocker and Cerber2021 ransomware, Linux botnet malware, and crypto miners underscoring the urgency of the matter.

Last year, CISA ordered federal agencies to patch another critical Confluence vulnerability (CVE-2022-26138) exploited in the wild, based on previous alerts from cybersecurity firm Rapid7 and threat intelligence company GreyNoise.