Executive Summary

CVE-2023-22518 is a critical improper authorization vulnerability affecting all versions of Atlassian Confluence Data Center and Server. This vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can perform all administrative actions available to a Confluence instance administrator, leading to a full loss of confidentiality, integrity, and availability. This vulnerability has been actively exploited in the wild, making it imperative for organizations to take immediate action to mitigate the risk.

Technical Information

CVE-2023-22518 is an improper authorization vulnerability identified in Atlassian Confluence Data Center and Server. The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8, categorizing it as critical. The vulnerability is identified by CWE-863 (Incorrect Authorization) and can be exploited remotely without any authentication, making it highly dangerous.

The vulnerability affects the following versions of Confluence Data Center and Server: - Confluence Data Center: Versions from 1.0.0 up to (excluding) 7.19.16, 7.20.0 up to (excluding) 8.3.4, 8.4.0 up to (excluding) 8.4.4, 8.5.0 up to (excluding) 8.5.3 - Confluence Server: Versions from 1.0.0 up to (excluding) 7.19.16, 7.20.0 up to (excluding) 8.3.4, 8.4.0 up to (excluding) 8.4.4, 8.5.0 up to (excluding) 8.5.3

The vulnerability allows an attacker to reset the Confluence instance and create an administrator account. This unauthorized access enables the attacker to perform all administrative actions, leading to a complete compromise of the system's confidentiality, integrity, and availability. The attack vector is described as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that the attack can be executed over the network with low complexity and no privileges required.

Exploitation in the Wild

This vulnerability has been actively exploited in the wild. Attackers have been observed leveraging this vulnerability to gain unauthorized administrative access to Confluence instances, leading to significant data breaches and disruptions. Specific instances of exploitation include unauthorized creation of Confluence administrator accounts, execution of administrative actions without proper authorization, and unexpected resets of Confluence instances.

For detailed exploitation examples, refer to the following sources: - Packet Storm Security: http://packetstormsecurity.com/files/176264/Atlassian-Confluence-Improper-Authorization-Code-Execution.html - Bleeping Computer: https://www.bleepingcomputer.com/news/security/atlassian-warns-of-exploit-for-confluence-data-wiping-bug-get-patching/ - Rapid7: https://www.rapid7.com/blog/post/2023/11/06/etr-rapid7-observed-exploitation-of-atlassian-confluence-cve-2023-22518/ - Security Week: https://www.securityweek.com/exploitation-of-critical-confluence-vulnerability-begins/

APT Groups using this vulnerability

While specific APT groups exploiting this vulnerability have not been publicly identified, the critical nature of the vulnerability makes it a likely target for advanced persistent threats seeking to compromise enterprise environments. Given the widespread use of Confluence in various sectors, including technology, finance, healthcare, and government, it is crucial for organizations to remain vigilant and proactive in their cybersecurity measures.

Affected Product Versions

The following versions of Confluence Data Center and Server are affected by CVE-2023-22518: - Confluence Data Center: Versions from 1.0.0 up to (excluding) 7.19.16, 7.20.0 up to (excluding) 8.3.4, 8.4.0 up to (excluding) 8.4.4, 8.5.0 up to (excluding) 8.5.3 - Confluence Server: Versions from 1.0.0 up to (excluding) 7.19.16, 7.20.0 up to (excluding) 8.3.4, 8.4.0 up to (excluding) 8.4.4, 8.5.0 up to (excluding) 8.5.3

Workaround and Mitigation

Atlassian has released patches to address this vulnerability. It is crucial for organizations using Confluence Data Center and Server to apply these patches immediately to mitigate the risk of exploitation. The patches can be found in the following vendor advisories: - Atlassian Advisory: https://confluence.atlassian.com/pages/viewpage.action?pageId=1311473907 - JIRA Issue Tracking: https://jira.atlassian.com/browse/CONFSERVER-93142

In addition to applying patches, organizations should monitor for the following Indicators of Compromise (IOCs) to detect potential exploitation of CVE-2023-22518: - Unusual creation of Confluence administrator accounts - Unauthorized administrative actions within Confluence - Unexpected resets of Confluence instances

References

For further details and updates, refer to the following resources: - NVD Entry for CVE-2023-22518: https://nvd.nist.gov/vuln/detail/CVE-2023-22518 - Atlassian Advisory: https://confluence.atlassian.com/pages/viewpage.action?pageId=1311473907 - Packet Storm Security: http://packetstormsecurity.com/files/176264/Atlassian-Confluence-Improper-Authorization-Code-Execution.html

Rescana is here for you

Rescana's Continuous Threat and Exposure Management (CTEM) platform is designed to help organizations stay ahead of emerging threats like CVE-2023-22518. Our platform provides real-time monitoring, threat intelligence, and automated response capabilities to ensure your systems remain secure. If you have any questions about this report or need assistance with any other cybersecurity issues, please contact us at ops@rescana.com.