Table of Contents
Discovery and Impact of Confluence Software Vulnerability
An improper authorization vulnerability has been discovered in Atlassian's Confluence software. Tracked as CVE-2023-22518, the flaw can result in significant data loss if exploited. All versions of the Confluence Data Center and Server, the on-premises versions of Atlassian's products, are vulnerable to this issue. This vulnerability has been rated at 9.1/10 in terms of severity on the ten-point Common Vulnerability Scoring System.
Atlassian’s Response and Patch Release
In response to the discovery of the flaw, Atlassian has issued urgent warnings to its customers about the vulnerability and the potential risks it poses. The company has released patches which address the flaw and has requested its customers to upgrade their Confluence versions immediately. The vendor specifically recommends upgrading to Confluence versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, 8.6.1, or any later releases of the software, all of which contain fixes for the identified vulnerability.
Procedure for Patch Application
Before proceeding with the upgrade, Atlassian suggests that customers should disconnect their Confluence instances from the public internet. In cases where this is not feasible, they advise restricting external network access until the patches have been successfully applied to their systems.
A Repeat of Previous Security Issues
This warning comes as the second critical security alert by Atlassian in the month of October. Earlier, CVE-2023-22515 was reported. Attackers exploited this flaw to create and misuse Confluence admin accounts. Adding further to these security concerns, the company also reported a critical flaw in its BitBucket product in August 2022.
Cloud-Based Confluence Safe from Attack
Users of SaaS-based Confluence software in Atlassian's cloud are, however, secure from these vulnerabilities, making Atlassian's cloud platform a safer alternative to its self-hosted options. Nevertheless, the company will continue to support its Data Center products for customers not comfortable switching to the cloud, despite the impending discontinuation of support for the Server version of Confluence in February 2024.
Increased Risk of Exploitation
Following the public release of technical information about the vulnerability CVE-2023-22518, Atlassian has raised concerns regarding its potential exploitation. The released information increases the vulnerability's exploitability, putting Confluence users at more risk.
Public Release of Technical Data on CVE-2023-22518
Atlassian updated its vulnerability alert on November 2, stating that the technical details of CVE-2023-22518 have become publicly available. Identified as an improper authorization issue, the vulnerability involves low attack complexity and requires no user interaction, making it a potential target for attackers with little to no special privileges.
Atlassian’s Monitoring and Response
Atlassian is keeping a close watch on the situation and has reiterated the urgent necessity for its customers to take immediate protective measures. While there are no reports of active exploits yet, the public release of technical information increases the likelihood of attackers exploiting the vulnerability. Atlassian's consistent advice for organizations that cannot immediately patch is to disconnect their Confluence instances from the internet until the patch can be applied.
Report by Security Intelligence Firm - Field Effect
Security intelligence firm, Field Effect, offered an analysis of the situation, stating any attacker exploiting this vulnerability would be able to delete data on a Confluence instance or block access to it. It emphasized that exfiltration of data would not be possible. While this offers slight relief for organizations, the potential for data deletion and denial of service escalates the seriousness of the situation.
ProjectDiscovery’s Involvement
On an active front, ProjectDiscovery, an open-source platform for vulnerability discovery and security testing, is working towards addressing the flaw. ProjectDiscovery has released a detection-based template targeting the vulnerability, enhancing organizations' defenses against possible attacks exploiting CVE-2023-22518.
Immediate Action Needed Despite Lack of Exploitation Evidence
Even though there are no documented instances of the vulnerability being exploited in the wild yet, Atlassian is urging customers to act quickly. The proof of concept (PoC) exploit code for the critical vulnerability in Atlassian's Confluence Data Center and Server technology has been made public, and this increases the urgency for immediate patch application.
No Reports of In-The-Wild Exploitation Yet
As of the initial disclosures and updated warnings, Atlassian has reported no instances of the vulnerability being actively exploited in the wild. However, ShadowServer, an organization that monitors the internet for malicious activities, reported on November 3 that they've observed attempts to exploit the Atlassian vulnerability from at least 36 unique IP addresses in the last 24 hours. These attempts may not have led to actual exploitations yet but indicate the growing risk.
Vendor Emphasizes Quick Action Due to Vulnerability’s Critical Severity
The severity of the bug, rated at 9.1 out of 10 on the CVSS scale, underscores the vital need for immediate action. Atlassian has consistently emphasized that the improper authorization vulnerability poses a high risk of "significant data loss" if successfully exploited. The discovery of the PoC exploit code in the public domain further strengthens the necessity for organizations to apply the company's fixes immediately.
Assurance Given by Atlassian
Recognizing the urgency and potential anxiety among its customers, Atlassian has assured that should organizations have already applied the suggested patches, no further action is required. The patches fully address the vulnerability, offering protection against any potential exploitation attempts.
Details on Patch Application
To address this critical vulnerability, Atlassian has released several Confluence Data Center and Server versions with the necessary fixes. Specific patch application methods have been provided for organisations to follow, strengthening their defenses.
Confluence Data Center and Server Versions with Fixes for the Bug
Atlassian has released fixes for this issue in Confluence versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1. These versions contain the necessary patches to address the flaw. Additionally, the vulnerability has been addressed in on-premise Confluence versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0. Customers are urged to upgrade to the latest Long Term Support release to ensure they are protected.
Patches Available in Specific Versions
In previous communications, Atlassian has advised upgrading to Confluence versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1 or later to mitigate the threat posed by this critical vulnerability. These versions have been designed to contain the crucial fixes.
Instructions for Patch Application
For organizations looking to upgrade, the latest version of the software can be downloaded from Atlassian's download centre. However, it should be noted that if Confluence is run in a cluster, upgrading to the fixed versions without downtime, also known as a rolling upgrade, will not be possible. As such, organizations are advised to follow the steps provided in Atlassian's documentation on Upgrading Confluence Data Center.
