Safeguard Your Confluence for an Urgent Upgrade!

Alert: Safeguard Your Confluence for an Urgent Upgrade!

Advisory Release Date: Wednesday, Oct 4th, 2023, 06:00 PDT

Attention, Confluence Users!

We’ve got some news that’s making waves in the tech world. Atlassian has recently uncovered a significant security concern – CVE-2023-22515 – and it’s time for you to sit up and take notice.

The Scoop: What’s Happening?

Picture this: a small number of Confluence Data Center and Server customers have reported a rather alarming issue. It appears that crafty external attackers may have found a way to exploit a previously unknown vulnerability in publicly accessible Confluence instances. The result? Unauthorized Confluence administrator accounts have been created, and these invaders have gained access to Confluence installations.

Update: Bigger Fish at Play

But here’s the kicker: We’ve got evidence suggesting that a well-known nation-state actor is actively exploiting this vulnerability – CVE-2023-22515. Atlassian is working tirelessly alongside their partners and customers to get to the bottom of this. If you’re using Atlassian Cloud sites, relax; they’re not affected. If your Confluence site’s URL includes “atlassian.net,” you’re safe because it’s hosted by Atlassian itself.

The Threat Level: It’s Critical

This is not a drill! We’re sounding the alarms because this is as serious as it gets. This vulnerability was rated as Critical with a CVSS score of 10, and that’s the highest rating possible. While the assessment is crucial, you should evaluate how this might affect your IT environment personally.

Who’s in the Crosshairs: Affected Versions

The affected versions are in the range of Confluence Data Center and Server 8.0.0 to 8.5.1. Versions before 8.0.0 can breathe a sigh of relief; they’re not at risk.

A Light at the End of the Tunnel: Fixed Versions

We’re not leaving you high and dry. To tackle this issue head-on, we recommend upgrading to one of the following fixed versions, or any later version:

• Confluence Data Center and Confluence Server 8.3.3 or later
• Confluence Data Center and Confluence Server 8.4.3 or later
• Confluence Data Center and Confluence Server 8.5.2 (Long Term Support release) or later

You can find more information on these versions in the release notes, or simply download the latest version from the download center.

Your Action Plan: What to Do

1. Upgrade, Upgrade, Upgrade: The first step is to upgrade your Confluence instance. If your Confluence instance is accessible via the public internet, with user authentication, restrict external network access until you can perform the upgrade.If you can’t restrict external network access right away, there’s a workaround to temporarily mitigate known attack vectors. You can do this by blocking access to the /setup/* endpoints on Confluence instances, either at the network level or by tweaking Confluence configuration files. It’s a temporary fix; upgrading is your ultimate goal.
2. Detect the Threat: The big question is whether your instances have already been compromised. We can’t confirm that, so it’s time to call in your security team. Check all your affected Confluence instances for signs of compromise:
   • Unexpected additions to the confluence-administrators group
   • Unexplained new user accounts
   • Any suspicious requests to /setup/*.action in network access logs
   • The appearance of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in your Confluence home directory.

If you uncover any of these indicators, assume your instance has been compromised. Attackers with admin access can do a lot of damage, including data theft and malicious plugin installation.

In a nutshell, this is your call to action. We urge you to act promptly and safeguard your Confluence Data Center and Server instances from CVE-2023-22515. Follow our recommendations and protect your systems immediately. Your Confluence’s security is in your hands!