Severity

Atlassian rates the severity level of this vulnerability as Critical CVSS 10, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment, and you should evaluate its applicability to your own IT environment.

• Atlassian Support
•  Documentation
•  Security
•  Articles

...

CVE-2023-22515 - Broken Access Control Vulnerability in Confluence Data Center and Server

Updates

This advisory has been updated since the initial publication.

Changes since initial publication

Summary of Vulnerability

Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.

...

Versions prior to 8.0.0 are not affected by this vulnerability.

What You Need To Do

...

Immediately patch to a fixed version

...

Atlassian recommends that you patch each of your affected installations to one of the listed fixed versions (or any later version) below.

Product	Fixed Versions
Confluence Data Center and Server	7.19.16 or later 8.3.4 or later 8.4.4 or later 8.5.3 or later 8.6.1 or later

Apply temporary mitigations if unable to patch

1. Back up your instance. (Instructions: https://confluence.atlassian.com/doc/production-backup-strategy-38797389.html)
2. Remove your instance from the internet until you can patch, if possible. Instances accessible to the public internet, including those with user authentication, should

...

1. be restricted from external network access until you can

...

1. patch.
2. If you cannot restrict external network access

...

1. or patch, apply the following interim measures to mitigate known attack vectors by blocking access

...

1. on the following endpoints on Confluence instances:
   1. /json/setup-restore.action
   2. /json/setup-restore-local.action
   3. /json/setup-restore-progress.action


2. This is possible at the network layer or by making the following changes to Confluence configuration files.
   On each node,

...

1. modify /<confluence-install-dir>/confluence/WEB-INF/web.xml

...

1.  and add the following block of code (just

...

1. before

...

1. the </web-app>

...

1.  tag at the end of the file):
   

   Code Block
   <security-constraint>

...

1. <web-resource-collection>

...

1. <url-pattern>/json/setup-restore.action</url-pattern> <url-pattern>/json/setup

...

1. -restore-local.action</url-pattern> <url-pattern>/json/setup-restore-progress.action</url-pattern> <http-method-omission>*</http-method-omission> </web-resource-collection>

...

1. <auth-constraint /> </security-constraint>

2. Restart

...

1. Confluence

...

1. .
   
   Note: These mitigation actions are limited and not a replacement for

...

1. patching your instance; you must

...

1. patch as soon as possible

...

2. Threat detection

Atlassian cannot confirm if your instances have been affected by this vulnerability. Work with your security team to check all affected Confluence instances for evidence of compromise, as outlined below. If any evidence is found, you should assume that your instance has been compromised and evaluate the risk of flow-on effects. If your Confluence instances have been compromised, these threat attackers hold full administrative access and can perform any number of unfettered actions including - but not limited to - exfiltration of content and system credentials, and installation of malicious plugins.

Evidence of compromise may include:

...

unexpected members of the confluence-administrators group

...

unexpected newly created user accounts

...

requests to /setup/*.action in network access logs

...

For more information, please connect to https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html