Critical Vulnerability Found in Atlassian Confluence Instances

*UPDATE - NOV 10, 2023

Summary

Atlassian discovered a critical improper authorization vulnerability, tracked as CVE-2023-22518, impacting all Confluence Data Center and Server instances that may lead to significant data loss if successfully exploited. There are no reports of active exploitation at the time of this writing; however, this advisory comes just weeks after Chinese state-backed hackers successfully targeted a handful of Atlassian customers by exploiting a separate Confluence vulnerability CVE-2023-22515. In this instance, the threat actor was able to create unauthorized Confluence administrator accounts and access Confluence instances.

*UPDATE - Exploitation of CVE-2023-22518 observed in the wild, to include Cerber ransomware cyberattacks. According to the advisory, Atlassian Cloud users are not affected by this vulnerability. Additionally, Confluence site users who access their site via an atlassian[.]net domain are considered not vulnerable. Further details, analysis, and indicators of compromise can be found in the Rapid7 blog post.

Recommendations

The NJCCIC urges organizations to patch instances immediately after appropriate testing. If patching is not feasible at this time, Atlassian provides additional mitigation measures, including backing up unpatched instances and blocking internet access. Furthermore, instances accessible to the public internet, including those with user authentication, should be restricted from external network access until properly updated.