Headline
CVE-2023-22515: FAQ for CVE-2023-22515 | Atlassian Support
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.
Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
General Information
A critical severity authentication vulnerability was discovered in Confluence Server and Data Center (CVE-2023-22515).
This page contains frequently asked questions and answers about this vulnerability. The Atlassian Security Team will update this page as new information becomes available.
Is my Confluence instance affected?
The Confluence Data Center and Server versions listed below are affected by this vulnerability. Publicly accessible Confluence Data Center and Server versions as listed below are at critical risk and require immediate attention. Customers using these versions should upgrade your instance as soon as possible.
Versions prior to 8.0 are not affected by this vulnerability.
Product
Affected Versions
Confluence Data Center and Confluence Server
- 8.0.0
- 8.0.1
- 8.0.2
- 8.0.3
- 8.1.0
- 8.1.3
- 8.1.4
- 8.2.0
- 8.2.1
- 8.2.2
- 8.2.3
- 8.3.0
- 8.3.1
- 8.3.2
- 8.4.0
- 8.4.1
- 8.4.2
- 8.5.0
- 8.5.1
Atlassian recommends that you upgrade each of your affected installations to one of the listed fixed versions (or any later version) below.
Product
Fixed Versions
Confluence Data Center and Confluence Server
- 8.3.3 or later
- 8.4.3 or later
- 8.5.2 or later
Are Cloud instances affected?
If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Why am I being redirected to setup/finishsetup.action or seeing 403/404 errors after I’ve applied the mitigation steps?
The mitigation actions noted in the Advisory are not a replacement for upgrading your instance; you must upgrade as soon as possible. The mitigation steps will block an attacker’s ability to create an administrator account in Confluence, however, it won’t prevent an attacker from continuously trying to exploit the instance which may result in a Denial of Service attack. Once the upgrade is complete, you will no longer receive the HTTP Status errors or redirects to /setup/finishsetup.action.
Does upgrading to a fixed version completely solve the issue?
No. If an instance has already been compromised, upgrading will not remove the compromise.
As well as upgrading, customers can follow "Can we determine if Confluence has already been compromised?", which is available in this FAQ, to check for indicators of compromise. If any evidence is found, you should assume that your instance has been compromised and evaluate the risk of flow-on effects.
I am running an affected version of Confluence. How can I mitigate the threat until I upgrade?
If you are unable to upgrade Confluence, as an interim measure we recommend restricting external network access to the affected instance.
Additionally, you can mitigate known attack vectors for this vulnerability by blocking access to the /setup/* endpoints on Confluence instances. This is possible at the network layer or by making the following changes to Confluence configuration files.
On each node, modify /<confluence-install-dir>/confluence/WEB-INF/web.xml and add the following block of code (just before the </web-app> tag at the end of the file):
<security-constraint> <web-resource-collection> <url-pattern>/setup/</url-pattern> <http-method-omission></http-method-omission> </web-resource-collection> <auth-constraint /> </security-constraint>
2. Restart Confluence.
The mitigation prevents any Confluence administrators from triggering Confluence setup actions, this includes setting up Confluence from scratch or migrating to and from Data Center. If these actions are required you will need to remove these lines from the web.xml file. Please re-add these lines if you are not running a fixed version of Confluence.
My instance isn’t exposed to the Internet. Is an upgrade still recommended?
Yes! While ensuring instances are not exposed to the public internet greatly reduces the attack surface, we strongly recommend upgrading when security fixes are available.
My instance is NOT connected to the internet, what should I do? Am I safe?
If the Confluence instance cannot be accessed from the general internet, the risk of an exploit/attack originating from there is negated.
Due to the critical nature of this vulnerability and the variety of ways in which instances can be accessed, please work with local network/security team(s) to determine if mitigation is needed. However, out of an abundance of caution, the guidance on the Confluence Security Advisory page for CVE-2023-22515 still applies.
Can we determine if Confluence has already been compromised?
Per our security advisory CVE-2023-22515, the following are indicators of a potential compromise:
- unexpected members in the confluence-administrators group
- unexpected newly created user accounts
- requests to /setup/*.action in network access logs
- presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
Expand for an example of the above exception message
2027-01-01 07:50:38,312 ERROR [http-nio-8090-exec-8 url: /confluence/setup/setupadministrator.action] [atlassian.confluence.user.DefaultUserAccessor] createGroup com.atlassian.crowd.exception.embedded.InvalidGroupException: com.atlassian.crowd.exception.InvalidGroupException: Group already exists
-- url: /confluence/setup/setupadministrator.action | userName: anonymous | action: setupadministrator | traceId: 43994e68d74b2b4b
com.atlassian.user.impl.EntityValidationException: com.atlassian.crowd.exception.embedded.InvalidGroupException: com.atlassian.crowd.exception.InvalidGroupException: Group already exists
at com.atlassian.crowd.embedded.atlassianuser.EmbeddedCrowdGroupManager.createGroup(EmbeddedCrowdGroupManager.java:146)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
...
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:220)
at com.sun.proxy.$Proxy165.addGroup(Unknown Source)
at com.atlassian.crowd.embedded.atlassianuser.EmbeddedCrowdGroupManager.createGroup(EmbeddedCrowdGroupManager.java:144)
... 490 more
Caused by: com.atlassian.crowd.exception.InvalidGroupException: Group already exists
at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.addGroup(ApplicationServiceGeneric.java:719)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.addGroup(CrowdServiceImpl.java:421)
... 507 more
Please work with your local security team or a specialist security forensics firm for further investigation, and contact Atlassian Support for additional assistance.
My instance has been compromised, what should I do?
We strongly recommend involving your local security team for further investigation. If it is determined that your Confluence Server/DC instance has been compromised, our advice is to immediately shut down and disconnect the server from the network/Internet. Also, you may want to immediately shut down any other systems which potentially share a user base or have common username/password combinations with the compromised system.
Before doing anything else you will need to work with your local security team to identify the scope of the breach and your recovery options. If your Confluence instances have been compromised by CVE-2023-22515, threat attackers hold full administrative access and can perform any number of unfettered actions including - but not limited to - exfiltration of content and system credentials, and installation of malicious plugins.
If you believe your Confluence instance was compromised, contact Atlassian Support as Atlassian assistance is required to recover and protect your instance. Please include web server access logs (with the IP address of the attacker) in the data that is provided for further investigation.
Are other Atlassian products affected by this vulnerability?
No, they are not affected by CVE-2023-22515. No action is required for other products.
Related news
Threat actors linked to the RansomHub ransomware group encrypted and exfiltrated data from at least 210 victims since its inception in February 2024, the U.S. government said. The victims span various sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services,
In September, two high-profile casino breaches taught us about the nuances of the RaaS affiliate landscape, the asymmetric dangers of phishing, and of two starkly different approaches to ransomware negotiation.
Cybersecurity researchers have discovered a stealthy backdoor named Effluence that's deployed following the successful exploitation of a recently disclosed security flaw in Atlassian Confluence Data Center and Server. "The malware acts as a persistent backdoor and is not remediated by applying patches to Confluence," Aon's Stroz Friedberg Incident Response Services said in an analysis published
Multiple ransomware groups have begun to actively exploit recently disclosed flaws in Atlassian Confluence and Apache ActiveMQ. Cybersecurity firm Rapid7 said it observed the exploitation of CVE-2023-22518 and CVE-2023-22515 in multiple customer environments, some of which have been leveraged for the deployment of Cerber (aka C3RB3R) ransomware. Both vulnerabilities are critical, allowing threat
Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]
Atlassian has warned of a critical security flaw in Confluence Data Center and Server that could result in "significant data loss if exploited by an unauthenticated attacker." Tracked as CVE-2023-22518, the vulnerability is rated 9.1 out of a maximum of 10 on the CVSS scoring system. It has been described as an instance of "improper authorization vulnerability." All versions of Confluence Data
This Metasploit module exploits an improper input validation issue in Atlassian Confluence, allowing arbitrary HTTP parameters to be translated into getter/setter sequences via the XWorks2 middleware and in turn allows for Java objects to be modified at run time. The exploit will create a new administrator user and upload a malicious plugins to get arbitrary code execution. All versions of Confluence between 8.0.0 through to 8.3.2, 8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1 are affected.
Categories: Exploits and vulnerabilities Categories: News Microsoft Threat Intelligence has revealed that it has been tracking the active exploitation of a vulnerability in Atlassian Confluence software since September 14, 2023. (Read more...) The post Update now! Atlassian Confluence vulnerability is being actively exploited appeared first on Malwarebytes Labs.
Organizations should brace for mass exploitation of CVE-2023-22515, an uber-critical security bug that opens the door to crippling supply chain attacks on downstream victims.
Microsoft has linked the exploitation of a recently disclosed critical flaw in Atlassian Confluence Data Center and Server to a nation-state actor it tracks as Storm-0062 (aka DarkShadow or Oro0lxy). The tech giant's threat intelligence team said it observed in-the-wild abuse of the vulnerability since September 14, 2023. "CVE-2023-22515 is a critical privilege escalation vulnerability in
Atlassian has released fixes to contain an actively exploited critical zero-day flaw impacting publicly accessible Confluence Data Center and Server instances. The vulnerability, tracked as CVE-2023-22515, is remotely exploitable and allows external attackers to create unauthorized Confluence administrator accounts and access Confluence servers. It does not impact Confluence versions prior to
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue. For more details, please review the linked advisory on this CVE.