CVE-2023-22515: Zero-Day Vulnerability in Atlassian Confluence Data Center and Server Exploited in the Wild

A critical zero-day vulnerability in Atlassian Confluence Data Center and Server has been exploited in the wild in a limited number of cases. Organizations should patch or apply the mitigation steps as soon as possible.

Background

On October 4, Atlassian released a security advisory for CVE-2023-22515, a critical severity zero-day privilege escalation vulnerability in Confluence Data Center and Server that Atlassian says is “a previously unknown vulnerability” that has been exploited against a limited set of customers.

Analysis

CVE-2023-22515 is a critical privilege escalation vulnerability affecting on-premise Atlassian Confluence Data Center and Server products. Successful exploitation could allow for the creation of administrator accounts that can be used to access Confluence instances. At the time this blog was published, no CVSSv3 score was included in the advisory, but according to Atlassian’s severity level ratings, this score would be in the range of 9.0 to 10.0.

While limited information is available in the security advisory and dedicated FAQ page from Atlassian, the mitigation steps do reveal the endpoint that is impacted. According to the mitigation steps, blocking network access to the /setup/* endpoints will mitigate the threat of exploitation of this vulnerability. Additionally, the advisory notes that the customers who reported being attacked by this vulnerability had their Confluence servers publicly accessible.

Atlassian confirmed that cloud instances (Confluence sites accessed with a atlassian.net domain) are not affected by this vulnerability.

Confluence remains a target for threat actors

Atlassian Confluence is a popular target for a variety of cybercriminals. In June of 2022, Atlassian published an advisory for CVE-2022-26134, another critical zero-day vulnerability affecting Confluence Server and Data Center. The remote code execution vulnerability was exploited by multiple threat actors who appear to have been operating out of China. When that advisory was published on June 2, 2022, no patches were available, only mitigation steps. However a day later, patches were available along with a number of proof-of-concept scripts.

On October 10, Microsoft's Threat Intelligence team posted a message on X (formerly Twitter) noting that they had observed the nation-sate threat actor Storm-0062 (DarkShadow or Oro0lxy) exploiting CVE-2023-22515 since September 14.

Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy.

— Microsoft Threat Intelligence (@MsftSecIntel) October 10, 2023

According to Microsoft's threat actor naming convention, Storm followed by a unique four digit number suggests that this group "is a newly discovered, unknown, emerging, or developing cluster of threat activity." According to an indictment filed in the U.S. District court for the Eastern District of Washington on July 7, 2020, "Oro0lxy" is the digital alias for the Chinese national Li Xiaoyu. The indictment alleges that Li and Dong Jiazhi were involved in a decade-long hacking campaign that included the targeting of companies performing COVID-19 vaccine research.

Proof of concept

As the time this blog was published on October 4, no public proof-of-concept (PoC) code was found for CVE-2023-22515. However on October 10, a PoC was published on GitHub. With the release of PoC code, we do anticipate that more threat actors will being to leverage this vulnerability.

Solution

Atlassian has released patches for CVE-2023-22515 and provides a list of affected versions in its advisory:

In addition, Atlassian provides mitigation steps that can be applied if your organization cannot immediately patch this issue. We strongly recommend that you apply the provided patch as soon as possible to reduce your risk to this vulnerability.

As part of its FAQ document, Atlassian outlines some indicators of potential compromise which can aid organizations in determining if they may have been impacted by this vulnerability. These indicators of compromise (IoCs) are:

• unexpected members of the confluence-administrator group
• unexpected newly created user accounts
• requests to /setup/*.action in network access logs
• presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory

On October 16, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) AA23-289A warning that threat actors are abusing CVE-2023-22515 to gain initial access to networks. The CSA provides some IoCs and recommendations on steps to take if a compromise of your Confluence Server has occurred. We recommend reviewing the CSA for additional information and incident response recommendations.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability can be located on the plugins tab on the individual CVE page for CVE-2023-22515 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, Plugin ID 182969, a direct check plugin has been released to directly test and identify vulnerable systems.

Get more information

• Atlassian Security Advisory : CVE-2023-22515 - Privilege Escalation Vulnerability in Confluence Data Center and Server
• Atlassian KB: FAQ for CVE-2023-22515
• Cybersecurity Advisory: Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.