Microsoft has detected the nation-state threat actor Storm-0062, also known as DarkShadow or Oro0lxy, exploiting CVE-2023-22515 in the wild since September 14, 2023.
The vulnerability was publicly disclosed on October 4, 2023, and this CVE-2023-22515 is a Confluence zero-day vulnerability.
Atlassian is investigating reports from a few customers regarding the potential exploitation of an undisclosed vulnerability in publicly accessible Confluence Data Center and Server instances, allowing unauthorized access and the creation of administrator accounts.
Here’s what Atlassian stated:-
“Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.”
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
According to Netlas, it has been reported that the vulnerability has been actively exploited in real-world scenarios.
Flaw profile
- CVE ID: CVE-2023-22515
- Description: Broken Access Control Vulnerability in Confluence Data Center and Server
- Advisory Release Date: Wed, Oct 4th, 2023 06:00 PDT
- Related Jira Ticket(s): CONFSERVER-92475
- Severity: Critical
- CVSS Score: 10.00
IPs Detected
These four IP addresses were detected transmitting exploit traffic linked to CVE-2023-22515:-
- 192.69.90[.]31
- 104.128.89[.]92
- 23.105.208[.]154
- 199.193.127[.]231
Atlassian has classified this vulnerability as Critical with a CVSS score 10 based on their severity levels. That’s why they have recommended users assess its relevance according to their specific IT setup.
Versions Affected & Fixed
Here below, we have mentioned all the Confluence Data Center and Confluence Server versions that are affected:-
- 8.0.0
- 8.0.1
- 8.0.2
- 8.0.3
- 8.0.4
- 8.1.0
- 8.1.1
- 8.1.3
- 8.1.4
- 8.2.0
- 8.2.1
- 8.2.2
- 8.2.3
- 8.3.0
- 8.3.1
- 8.3.2
- 8.4.0
- 8.4.1
- 8.4.2
- 8.5.0
- 8.5.1
Here below, we have mentioned all the Confluence Data Center and Confluence Server versions that are fixed:-
- 8.3.3 or later
- 8.4.3 or later
- 8.5.2 (Long-Term Support release) or later
PT Swarm team stated that they are able to reproduce the issue.
Recommendation
For Confluence Data Center and Server instances publicly accessible, temporarily restrict external access until the upgrade.
If that’s not possible, apply for interim protection by blocking /setup/* endpoint access at the network level or by adjusting Confluence configuration files.
Then restart the Confluence, as this step restricts access to unnecessary setup pages in Confluence.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.