Attackers are actively exploiting Confluence Data Center & Server. Here's what you need to know.
Confluence issued a security advisory for a critical vulnerability. The flaw, CVE-2023-22515, affects Confluence Data Center & Server commonly used for collaboration and development. The vulnerability allows a remote attacker to perform malicious actions an affected system. We recommend organizations apply security updates immediately due to active exploitation.
This critical privilege escalation flaw affects Confluence Data Center and Server 8.0.0 and later and is described as being remotely exploitable in low-complexity attacks that don't require user interaction. An attacker could gain remote access and perform malicious actions on an affected system. Corvus has observed similar vulnerabilities lead to data theft and extortion as well as ransomware attacks.
Note: Atlassian Cloud sites are not affected by this vulnerability.
If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Next steps for Confluence Data Center & Server customers:
- Update to a fixed version.
- 8.3.3 or later
- 8.4.3 or later
- 8.5.2 (Long Term Support release) or later
- If you are unable to upgrade Confluence, as an interim measure we recommend restricting external network access to the affected instance as a workaround.
- On each node, modify /<confluence-install-dir>/confluence/WEB-INF/web.xml and add the following block of code (just before the </web-app> tag at the end of the file):
- As well as upgrading to a fixed version, we recommend you check all affected Confluence instances for the following indicators of compromise:
- unexpected members of the confluence-administrator group
- unexpected newly created user accounts
- requests to /setup/*.action in network access logs
- presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory