WARNING – IMPROPER AUTHORIZATION VULNERABILITY IN CONFLUENCE DATA CENTER AND CONFLUENCE SERVER
CVE-2023-22518
CVSS: 9.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Sources
- https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
- https://jira.atlassian.com/browse/CONFSERVER-93142
Risques
CVE-2023-22518 has been categorized as an improper authorization vulnerability, but no other details have been shared by the vendor Atlassian. It can lead to significant data loss if exploited by an unauthenticated attacker.
Description
On the 31st of October Atlassian published a security advisory detailing a zero-day vulnerability in Confluence Data Center and Confluence Server. CVE-2023-22518 was assigned to this vulnerability.
Atlassian discovered the vulnerability as part of their continuous security assessment process. They did not yet receive reports of active exploitations at the time of reporting.
The severity of this vulnerability is crucial due to multiple factors:
- An attacker can exploit this vulnerability without having to be authenticated.
- The exploit does not require any user interaction and its complexity to execute is rated as low.
- A possible exploit can lead to significant data loss.
Actions recommandées
Upgrade
- 7.19.16 or later
- 8.3.4 or later
- 8.4.4 or later
- 8.5.3 or later
- 8.6.1 or later
Mitigation/workaround
If unable to patch, it is recommended to:
- Back up the site, with vendor instructions here: https://confluence.atlassian.com/doc/back-up-a-site-152405.html
- Remove the instance from the internet until it becomes possible to patch
Monitor/Detect
It is important to notice that compromised instances will still be affected after upgrading to a fixed version. This is because the attacker can create administrator accounts in the vulnerable instance.
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
When applying patches to systems that have been vulnerable to an authentication bypass, a proactive threat assessment should be performed to verify the device was not accessed from an unknown IP or location.