Critical Confluence Authorization Vulnerability Actively Exploited

By Sabrina Lupșan
Cloud Security Analyst at Cyscale
Wednesday, November 8, 2023

Critical Confluence Authorization Vulnerability Actively Exploited

Atlassian has warned that as of November 6th it has observed 'several active exploits' and reports of threat actors using ransomware in association with a critical Improper Authorization Vulnerability in Confluence Data Center and Server.

CVE-2023-22518, first published on October 31st, 2023, is a Confluence vulnerability that affects all pre-existing versions of Data Center and Server. It was initially assigned a CVSS score of 9.1, which was increased to 10, the maximum, on November 6th.

This is the second critical vulnerability in Atlassian Data Center and Server discovered in the same month, alongside CVE-2023-22515.

Confluence Improper Authorization vulnerability in detail

This vulnerability occurs due to Improper Authorization. The bug enables the attacker to:

reset a Confluence instance, and to
create a Confluence instance administrator account.

This means the attacker can either reset the entire instance, causing the company to lose data unless it is backed up, or they can steal the data by creating an administrator account.

What you need to do: mitigation of the Confluence Improper Authorization vulnerability

Since all versions prior to the attack are affected, Atlassian urges users to immediately patch to the new versions released:

7.19.16,
8.3.4,
8.4.4,
8.5.3,
8.6.1.

If patching is not possible straight away, remove the instance from being publicly accessible. This is a temporary measure that allows you to gain time by limiting the attack surface – if your instance is not Internet-facing, attackers cannot reach it as easily.

Besides this, it is recommended to back-up your instance.

If you cannot patch the instance and remove it from the internet, you can apply the following temporary solutions, which you can also find on Atlassian’s page:

Block access to the following endpoints:

/json/setup-restore.action
/json/setup-restore-local.action
/json/setup-restore-progress.action

To do that, on each node, modify //confluence/WEB-INF/web.xml and add the following block of code (just before the tag at the end of the file):

<security-constraint>
		<web-resource-collection>
			<url-pattern>/json/setup-restore.action</url-pattern>
			<url-pattern>/json/setup-restore-local.action</url-pattern>
			<url-pattern>/json/setup-restore-progress.action</url-pattern>
			<http-method-omission>*</http-method-omission>
		</web-resource-collection>
	<auth-constraint />
</security-constraint>

Then, restart your instance.

How do you know if you were affected?

If you cannot login anymore, it could be a sign that your Confluence instance has been compromised. Besides this, look out for:

requests to /json/setup-restore* in your logs,
installed unknown plugins (the malicious plugin web.shell.Plugin was reported, according to Atlassian),
corrupted data or encrypted files that were not encrypted before,
new and unexpected members of the confluence-administrators group,
new and unexpected user accounts.

Cyscale customers are already protected, as the Cyscale cloud security platform surfaces assets affected by the Improper Authorization Vulnerability in Confluence Data Center and Server as long as their vulnerability scanner of choice has been updated.

Sabrina Lupșan

Cloud Security Analyst at Cyscale

Sabrina Lupsan merges her academic knowledge in Information Security with practical research to analyze and strengthen cloud security. At Cyscale, she leverages her Azure Security Engineer certification and her Master's in Information Security to keep the company's services at the leading edge of cybersecurity developments.