[CDP-development] TLP:GREEN (Zero-Day Alert Notification) CVE-2023-22515: A Vulnerability in Atlassian Confluence Server and Data Center Could Allow for Privilege Escalation
CSS Security Operations Services * DAS
css-soc-services at das.oregon.gov
Thu Oct 5 09:38:12 PDT 2023
Good morning,
The SOC Services team is reporting on the vulnerability: MS-ISAC ADVISORY 2023-115 A Vulnerability in Atlassian Confluence Server and Data Center Could Allow for Privilege Escalation. Due to its high visibility, knowledge of the software installed in the state environment, and active exploitations, we are providing this in-depth information:
History: On October 4th, 2023, Atlassian released updates to patch Confluence Server and Confluence Data Center. CVE-2023-22515 was established on October 4th, 2023, and is currently assigned a CVSSv3 rating of 8.8 (High)The vulnerability is described as a critical privilege escalation vulnerability which is remotely exploitable affecting on-premises instances of Confluence Server and Confluence Data Center.
The following products are affected:
* 8.0.0
* 8.0.1
* 8.0.2
* 8.0.3
* 8.0.4
* 8.1.0
* 8.1.1
* 8.1.3
* 8.1.4
* 8.2.0
* 8.2.1
* 8.2.2
* 8.2.3
* 8.3.0
* 8.3.1
* 8.3.2
* 8.4.0
* 8.4.1
* 8.4.2
* 8.5.0
* 8.5.1
** Versions PRIOR to 8.0.0 are not affected by this vulnerability
Patches are available from Atlassian to fix the vulnerabilities. The fixed versions are:
* 8.3.3 or later
* 8.4.3 or later
* 8.5.2 (Long Term Support release) or later
Further information is available from Atlassian:
* https://confluence.atlassian.com/kb/faq-for-cve-2023-22515-1295682188.html
Intelligence: As of October 4th, 2023, Atlassian is aware that CVE-2023-22515 has been exploited in the wild. It is very likely that this exploit will continue to be leveraged by threat actors over the coming months. Upgrading to a fixed version solves the issue of the vulnerability but does not remove the possible compromise.
Workarounds: If you are unable to upgrade to one of the fixed versions, you should implement mitigations such as cutting off access to the instances from external networks and blocking access to the /setup/* endpoints on Confluence instances.
How it works: CVE-2023-22515, allows attackers to create unauthorized administrative accounts on external-facing Confluence servers so that they can access the instance. The attacker could then perform administrative actions in the context of the confluence instance. Atlassian has reported that attackers are exploiting the vulnerability.
Post-Exploit: Upon successful exploitation of the vulnerabilities, DESCIPTION OF ADVERSARIAL ACTIVITY.
Admins should also check for indicators of compromise, which are:
* Unexpected members of the confluence-administrator group
* Unexpected newly created user accounts
* Requests to /setup/*.action in network access logs
* Presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
As of October 4th, 2023, the following vulnerability plugins have been released and are currently in Tenable Security Center:
Plugin
Title
Severity
182550
Atlassian Confluence 8.x < 8.3.3 / 8.4.x < 8.4.3 / 8.5.x < 8.5.2 (CONFSERVER-92475)
High
Recommended Actions:
* Verify host has not been compromised before applying patches.
* Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
* Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
* Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
* Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
* Apply the Principle of Least Privilege to all systems and services.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231005/253a4992/attachment-0001.html>
More information about the CDP-development
mailing list