Atlassian warns of exploit for Confluence data wiping bug, get patching

Atlassian warned admins that a public exploit is now available for a critical Confluence security flaw that can be used in data destruction attacks targeting Internet-exposed and unpatched instances.

Tracked as CVE-2023-22518, this is an authentication bypass vulnerability with a 9.1/10 severity rating affecting all versions of Confluence Data Center and Confluence Server software.

Atlassian warned in an update to the original advisory that it found a publicly available exploit that puts publicly accessible instances at critical risk.

"As part of Atlassian's ongoing monitoring of this CVE, we observed publicly posted critical information about the vulnerability which increases risk of exploitation," the company said.

"There are still no reports of an active exploit, though customers must take immediate action to protect their instances. If you already applied the patch, no further action is required."

While attackers can exploit the vulnerability to wipe data on impacted servers, it cannot be used to steal data stored on vulnerable instances. It's also important to mention that Atlassian Cloud sites accessed through an atlassian.net domain are unaffected, according to Atlassian.

Today's warning follows another one issued by Atlassian's Chief Information Security Officer (CISO) Bala Sathiamurthy when the vulnerability was patched on Tuesday.

"As part of our continuous security assessment processes, we have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker," said Sathiamurthy.

"There are no reports of active exploitation at this time; however, customers must take immediate action to protect their instances."

Atlassian fixed the critical CVE-2023-22518 vulnerability in Confluence Data Center and Server versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1.

Mitigation measures available

The company urged admins to upgrade their software immediately and, if that isn't possible, to apply mitigation measures, including backing up unpatched instances and blocking Internet access to unpatched servers until they're updated.

If you can't immediately patch your Confluence instances, you can also remove known attack vectors by blocking access on the following endpoints by modifying the /<confluence-install-dir>/confluence/WEB-INF/web.xml as explained in the advisory and restarting the vulnerable instance:

1. /json/setup-restore.action
2. /json/setup-restore-local.action
3. /json/setup-restore-progress.action

"These mitigation actions are limited and not a replacement for patching your instance; you must patch as soon as possible," Atlassian warned.

Last month, CISA, FBI, and MS-ISAC warned defenders to urgently patch Atlassian Confluence servers against an actively exploited privilege escalation flaw tracked as CVE-2023-22515.

Microsoft later discovered that a Chinese-backed threat group tracked as Storm-0062 (aka DarkShadow or Oro0lxy) had exploited the flaw as a zero-day since September 14, 2023.

Securing vulnerable Confluence servers is crucial, given their prior targeting in widespread attacks that pushed AvosLocker and Cerber2021 ransomware, Linux botnet malware, and crypto miners.