Critical Atlassian flaw subject to active exploitation

Home / Threat Intelligence bulletins / Critical Atlassian flaw subject to active exploitation

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Atlassian has disclosed a critical privilege-escalation vulnerability in Confluence Server and Confluence Data Center, tracked as CVE-2023-22515. As of the time of writing, intelligence gathering has revealed that the flaw has been actively exploited in the wild.

Atlassian has stated that publicly facing instances of affected products are at a significantly higher risk, as the flaw can be exploited by remote threat actors. In this context, although the flaw has been designated as relating to privilege-escalation, features of the bug are consistent with authentication bypass or remote code execution.

Impact

Successful exploitation of CVE-2023-22515 could result in a threat actor to elevate to administrator level privileges, ultimately allowing for the creation of a new user account without the requirement of approval.

Vulnerability Detection

Atlassian has released a security patch with regards to this vulnerability. As such, previous versions are vulnerable to potential exploitation.

Affected Products

On-premises instances of the following Atlassian platforms, in versions 8.0.0 and after:

  • Confluence Server
  • Confluence Data Center.

Containment, Mitigations & Remediations

It is strongly recommended that users of the affected product versions apply the relevant security patches (outlined below) as soon as possible. Remediated versions are those of:

  • 8.3.3 or later
  • 8.4.3 or later
  • 8.5.2 or later.

In terms of mitigation strategies, Atlassian recommends blocking access to the “/setup/*” endpoints on Confluence instances.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Atlassian occupies a significant proportion of the team-collaboration market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Atlassian products could emerge as a prime target for threat actors. Due to the fact that a significant number of organisations across the industry sector utilise Confluence for business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to exfiltrate the sensitive data contained therein.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactic

TA0004 – Privilege Escalation

Further Information

Atlassian Security Advisory

 

An Intelligence Terminology Yardstick to showing the likelihood of events