In early November, the cybersecurity community witnessed the exploitation of a zero-day vulnerability in Confluence Data Center and Server. This critical vulnerability was related to Improper Authorization and assigned CVE-2023-22518 identifier. In this blog, we delve into the details of these vulnerabilities, their implications, and the necessary mitigation steps to protect your digital assets.

The CVE-2023-22518 vulnerability targeted all versions of the on-premises Confluence Data Center. This “Improper Authorization” vulnerability flaw allowed an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can gain unfettered access and perform administrative actions available to the Confluence instance administrator, leading to a full compromise of confidentiality, integrity, and availability.

Atlassian, the creators of Confluence, classified the severity level of this vulnerability as “critical” with a 10 rating with the following vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A: H)

In addition, active vulnerability exploitation was observed in the wild, including exploitation by ransomware cyber threat actors. Particularly, Trend Micro encountered the Cerber ransomware exploiting the Atlassian Confluence vulnerability CVE-2023-22518 in its operations.

Mitigation: Act Swiftly & Decisively

In response to this looming threat, Atlassian promptly released security patches to address the vulnerability. The following versions have been fortified against this vulnerability (7.19.16, 8.3.4, 8.4.4, 8.5.3, 8.6.1). We highly recommend all Confluence clients with on-premise installations update their systems immediately.

To ensure the security of your Confluence installation, we recommend following these steps:

  1. Update Confluence to one of the secure versions mentioned above.
  2. Conduct a thorough check for indicators of compromise (IoC) as described in the Atlassian advisory (especially if your Confluence application is Internet-facing).

Wallarm's Virtual Patch (VPatch) For Immediate Protection

Wallarm has taken proactive measures and issued a virtual patch (VPatch)  to safeguard your Confluence instance. We have issued a Virtual Patch (VPatch) designed to block exploitation attempts of the CVE-2023-22518. Wallarm clients are protected against potential attacks even before or without installing a security patch. However, as many variants of vulnerability exploitation may exist, we still recommend updates to Confluence as soon as possible.

Also, as the vulnerability was actively exploited as Zero-day (before Atlassian advisory and patch), attackers had a time window to perform persistence techniques on the server and the infrastructure. Thus, we highly recommend checking for Indicators-of-Compromise (IoC).

Broken Access Control Vulnerability (CVE-2023-22515)

In October 2023, another noticeable Broken Access Control vulnerability (CVE-2023-22515) was discovered in the Confluence Data Center and Server, underscoring the persistence of security issues. The vulnerability allowed unauthenticated attackers to create unauthorized Confluence administrator accounts and access Confluence instances. The vulnerability was actively exploited in the wild. Wallarm detected a staggering 1772 vulnerability exploitation attempts in October 2023 alone.

Conclusion: Protecting Your Digital Assets

The events surrounding these vulnerabilities highlight the perpetual attractiveness of Atlassian software, particularly Confluence and Jira, to malicious adversaries. These platforms are widely adopted for their utility as knowledge bases and bug-tracking systems, making them enticing targets. Additionally, the exposure of these systems to the internet, whether due to business needs or security misconfigurations, compounds the risk.

According to Shodan (the search engine for internet-connected devices), it currently lists approximately 21,943 Internet-facing installations of Confluence worldwide.

This abundance of potential entry points into an organization's infrastructure is a cause for concern. Attackers can exploit this access for various purposes, including ransomware attacks, financial gain, or data theft. In some cases, the acquired access may be traded in the dark corners of the Darknet, with prices varying based on factors such as company size, industry, region, and revenue.

In the face of these evolving threats, proactive measures, timely updates, and rigorous security practices are imperative to safeguard your digital assets. Wallarm remains committed to helping you navigate the complex cybersecurity landscape and fortify your defenses against emerging vulnerabilities. - Stay vigilant, stay protected, and stay ahead with Wallarm.



Vendor’s Advisory:

Nuclei Template: