IT networks under attack via critical Confluence zero-day. Patch now

Atlassian today said miscreants have exploited a critical bug in on-premises instances of Confluence Server and Confluence Data Center to create and abuse admin accounts within the enterprise colab software.  

The privilege-escalation vulnerability, tracked as CVE-2023-22515, affects versions 8.0.0 through 8.5.1. Versions prior to 8.0.0 are not impacted by the flaw. Our reading of the details is that public-facing instances are potentially in danger: anyone who can reach a vulnerable deployment can attempt to exploit it and gain admin-level access. Some customers have already been hit via this zero-day vulnerability, and updates are now available to shore up installations.

"Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances," according to a Wednesday advisory from the software giant.

"Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously."

The software maker also warns that if an instance has already been hijacked, upgrading will not boot out the intruders. Thus, IT orgs must take steps to determine if a compromise has happened and weed out unauthorized admins, undo any damage that has happened, find out what has been accessed, and so on.

A spokesperson declined to answer specific comments about the vulnerability, and how many customers were compromised, though did confirm Atlassian Cloud sites are not impacted.

"We have provided customers with details of affected versions, mitigation steps required and threat detection actions in our critical security advisory," the spokesperson told The Register.

In addition to updating to fixed versions of the software, Atlassian urged customers to apply mitigation measures. These include restricting external network access to instances. Admins can also mitigate known attack vectors by not allowing access to the /setup/* endpoints on Confluence instances. 

• Atlassian: Unpatched years-old flaw under attack right now to hijack Confluence
• Critical hole in Atlassian Bitbucket allows any miscreant to hijack servers
• Arm patches GPU driver bug exploited by spyware to snoop on targets
• Security researchers believe mass exploitation attempts against WS_FTP have begun

In a separate advisory, infosec shop Rapid7 weighed in on the CVE, with researcher Caitlin Condon noting: "Atlassian does not specify the root cause of the vulnerability or where exactly the flaw resides in Confluence implementations, though the indicators of compromise include mention of the /setup/* endpoints."

Condon also said it's "unusual" but "not unprecedented" for a privilege-escalation vulnerability to earn a critical severity rating. In this case, it appears to be a unauthenticated remote elevation-of-privilege hole, allowing miscreants to create their own admin accounts to use, which would be bad.

"Atlassian's advisory implies that the vulnerability is remotely exploitable, which is typically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself," Condon said. 

"It's possible that the vulnerability could allow a regular user account to elevate to admin — notably, Confluence allows for new user sign-ups with no approval, but this feature is disabled by default."

More details, and likely victims, will undoubtedly emerge in the coming days, and we'll be keeping a close eye on this vulnerability. Stay tuned. ®