Atlassian has announced critical updates to address a severe zero-day vulnerability impacting publicly available Confluence Data Center and Server instances. The flaw, identified as CVE-2023-22515, poses a significant security risk as it can be exploited remotely by attackers to create unauthorized administrator accounts, consequently allowing access to Confluence servers.
This vulnerability specifically affects Confluence versions starting from 8.0.0 and does not impact installations accessed via an atlassian.net domain. Awareness of the issue was brought to Atlassian’s attention by a small group of customers, leading to prompt action to mitigate the risk.
The affected versions requiring immediate updates include Confluence Data Center and Server versions 8.3.3 or newer, 8.4.3 or newer, and the long-term support release 8.5.2 or newer. Despite issuing a patch, Atlassian has refrained from detailing the exploits’ nature or the underlying causes of the vulnerability, noting only that it constitutes a privilege escalation risk.
Businesses that are unable to implement these updates are strongly encouraged to restrict external network access to vulnerable instances. Atlassian has recommended specific configurations, such as blocking access to the /setup/* endpoints within their network environment, as a potential mitigation strategy. These measures can be enacted at the network layer or through changes to Confluence’s configuration files.
Indicators of compromise (IoCs) have also been shared, which include unusual members in the confluence-administrator group, newly created accounts that were not authorized, and requests logged to /setup/*.action. An exception message for /setup/setupadministrator.action appearing in the atlassian-confluence-security.log may further indicate a breach.
In the event of confirmed compromise, Atlassian advises immediate disconnection of the affected server from both the network and Internet, along with any associated systems that may share user credentials with the compromised platform.
The critical rating of this zero-day vulnerability is unusual, as such flaws are typically associated with either authentication bypass or remote code execution rather than mere privilege escalation. This incident highlights ongoing concerns surrounding the security of Atlassian Confluence instances, which have been targeted by threat actors in the past. Therefore, timely updates or appropriate mitigations are strongly advised for businesses utilizing this software.
