In a recent discovery, it was found that the extremely popular Atlassian Confluence platform has a zero-day vulnerability. This alarming security flaw could potentially allow malicious actors to create administrator accounts on Confluence servers and carry out malicious actions.
CVE-2023-22515: A critical privilege escalation vulnerability
The vulnerability, now identified as CVE-2023-22515, has been rated by Atlassian with a severity score of 10.0 (critical). Despite its severity, Atlassian has not yet released detailed information about this vulnerability. However, reports suggest that it affects publicly accessible Confluence data centers and servers, enabling threat actors to create unauthorized administrator accounts and gain access to Confluence instances.
According to Atlassian’s security advisory, “instances on the public internet are particularly vulnerable, as this vulnerability is anonymously exploitable.”
Protecting your systems: Mitigation measures and threat detection
Atlassian has promptly recommended several steps to mitigate this critical issue. Users are advised to restrict access to the /setup/* endpoints on Confluence instances by following these instructions:
- Modify the file /<confluence-install-dir>/confluence/WEB-INF/web.xml and insert the following code block (directly before the </web-app> tag at the end of the file):
xmlCopy code
<security-constraint> <web-resource-collection> <url-pattern>/setup/*</url-pattern> <http-method-omission>*</http-method-omission> </web-resource-collection> <auth-constraint /> </security-constraint>
- Restart Confluence.
Regarding threat detection, Atlassian advises users to check all affected Confluence instances for signs of compromise, including:
- Unexpected members in the confluence-administrators group
- Unexpectedly created user accounts
- Requests to /setup/*.action in network access logs
- The presence of /setup/setupadministrator.action in an exception message in the Atlassian-confluence-security.log file in the Confluence home directory.
For further details and updates, you can view Atlassian’s security advisory [here](insert the link). Stay vigilant and take necessary actions to protect your Confluence environment.