{"id":23183,"date":"2023-10-23T17:06:35","date_gmt":"2023-10-24T01:06:35","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/10\/23\/news-16913\/"},"modified":"2023-10-23T17:06:35","modified_gmt":"2023-10-24T01:06:35","slug":"news-16913","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/10\/23\/news-16913\/","title":{"rendered":"Vulnerability in Confluence Data Center and Confluence Server | Kaspersky official blog"},"content":{"rendered":"<p><strong>Credit to Author: Alanna Titterington| Date: Mon, 23 Oct 2023 14:40:47 +0000<\/strong><\/p>\n<p>Recently, CISA, the FBI, and <a href=\"https:\/\/en.wikipedia.org\/wiki\/Center_for_Internet_Security\" target=\"_blank\" rel=\"nofollow noopener\">MS-ISAC<\/a> issued a joint <a href=\"https:\/\/www.theregister.com\/2023\/10\/17\/confluence_zero_day_advisory\/\" target=\"_blank\" rel=\"nofollow noopener\">advisory<\/a> urging all organizations that use Confluence Data Center and Confluence Server to update the software immediately due to a major vulnerability. Here&#8217;s what the problem is and why this advisory is on point.<\/p>\n<h2>CVE-2023-22515 in Confluence Data Center and Confluence Server<\/h2>\n<p>The vulnerability in question, designated <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-22515\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2023-22515<\/a>, has received the maximum CVSS 3.0 threat score of 10.0, as well as critical status. The vulnerability allows an attacker, even if unauthenticated, to restart the server configuration process. By exploiting CVE-2023-22515, they could create accounts with administrator rights on a vulnerable Confluence server.<\/p>\n<div id=\"attachment_49405\" style=\"width: 3010px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-49405\" decoding=\"async\" fetchpriority=\"high\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23093727\/confluence-data-center-server-vulnerability-1-scaled.jpg\" alt=\"CVE-2023-22515 severity level\" width=\"3000\" height=\"2068\" class=\"size-full wp-image-49405\" \/><\/p>\n<p id=\"caption-attachment-49405\" class=\"wp-caption-text\">CVE-2023-22515: high severity level and high exploitability. <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-22515\" target=\"_blank\" rel=\"nofollow noopener\">Source<\/a><\/p>\n<\/div>\n<p>Only organizations using on-premises Atlassian Confluence Data Center and Confluence Server are at risk. Confluence Cloud customers are not affected. Nor does the vulnerability impact Confluence Data Center and Confluence Server versions earlier than 8.0.0. Below is the full list of vulnerable versions according to Atlassian:<\/p>\n<ul>\n<li>8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4<\/li>\n<li>8.1.0, 8.1.1, 8.1.3, 8.1.4<\/li>\n<li>8.2.0, 8.2.1, 8.2.2, 8.2.3<\/li>\n<li>8.3.0, 8.3.1, 8.3.2<\/li>\n<li>8.4.0, 8.4.1, 8.4.2<\/li>\n<li>8.5.0, 8.5.1<\/li>\n<\/ul>\n<h2>Exploitation in the wild and PoC on GitHub<\/h2>\n<p>The main problem is that the vulnerability is extremely easy to exploit. This is made worse by the fact that a successful attack on a vulnerable server doesn&#8217;t require access to an account on it, which significantly expands the scope for attacker activity.<\/p>\n<p>The key feature of the attack is that vulnerable versions of Confluence Data Center and Confluence Server allow attackers to change the value of the <code>bootstrapStatusProvider.applicationConfig.setupComplete<\/code> attribute to <code>false<\/code> without authentication on the server. By doing so, they reinitialize the server setup stage and are free to create their own administrator accounts.<\/p>\n<div id=\"attachment_49406\" style=\"width: 1870px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" aria-describedby=\"caption-attachment-49406\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23094142\/confluence-data-center-server-vulnerability-2.png\" alt=\"Key feature of CVE-2023-22515 exploitation \" width=\"1860\" height=\"508\" class=\"size-full wp-image-49406\" \/><\/p>\n<p id=\"caption-attachment-49406\" class=\"wp-caption-text\">Key feature of Confluence Data Center and Confluence Server vulnerability exploitation. <a href=\"https:\/\/github.com\/vulhub\/vulhub\/tree\/master\/confluence\/CVE-2023-22515\" target=\"_blank\" rel=\"nofollow noopener\">Source<\/a><\/p>\n<\/div>\n<p>Please note that this isn&#8217;t just theory \u2014 real attacks are already being carried out. A week after information about CVE-2023-22515 was made public, the Microsoft Threat Intelligence team <a href=\"https:\/\/twitter.com\/MsftSecIntel\/status\/1711871732644970856\" target=\"_blank\" rel=\"nofollow noopener\">observed<\/a> an APT group exploiting this vulnerability.<\/p>\n<div id=\"attachment_49407\" style=\"width: 1196px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" aria-describedby=\"caption-attachment-49407\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23094237\/confluence-data-center-server-vulnerability-3.png\" alt=\"Microsoft Threat Intelligence alert about CVE-2023-22515 exploitation by Storm-0062 (aka DarkShadow, Oro0lxy) \" width=\"1186\" height=\"528\" class=\"size-full wp-image-49407\" \/><\/p>\n<p id=\"caption-attachment-49407\" class=\"wp-caption-text\">Microsoft Threat Intelligence alert about CVE-2023-22515 exploitation in the wild. <a href=\"https:\/\/twitter.com\/MsftSecIntel\/status\/1711871732644970856\" target=\"_blank\" rel=\"nofollow noopener\">Source<\/a><\/p>\n<\/div>\n<p>As mentioned above, this vulnerability in Confluence Data Center and Confluence Server is extremely easy to exploit. This means that not only highly skilled APT hackers can exploit it, but even <a href=\"https:\/\/www.kaspersky.com\/blog\/social-engineering-cases\/48697\/\" target=\"_blank\" rel=\"noopener\">bored schoolkids<\/a> too. A <a href=\"https:\/\/github.com\/vulhub\/vulhub\/tree\/master\/confluence\/CVE-2023-22515\" target=\"_blank\" rel=\"nofollow noopener\">Proof of Concept exploit for CVE-2023-22515<\/a> has already appeared on GitHub, complete with a <a href=\"https:\/\/github.com\/Chocapikk\/CVE-2023-22515\" target=\"_blank\" rel=\"nofollow noopener\">Python script<\/a> for easy-as-pie exploitation \u2014 on a mass-scale: all an attacker need do is input a list of target server addresses into the script.<\/p>\n<h2>How to secure your infrastructure against CVE-2023-22515<\/h2>\n<p>If possible, you should update your Confluence Data Center or Confluence Server to a version with the vulnerability already patched (8.3.3, 8.4.3, 8.5.2), or to a later version within the same branch.<\/p>\n<p>If unable to update, it&#8217;s recommended to remove vulnerable Confluence servers from public access; that is, disable access to them from external networks until the update is installed.<\/p>\n<p>If this too cannot be done, an interim measure is to mitigate the threat by blocking access to configuration pages. More details can be found in <a href=\"https:\/\/confluence.atlassian.com\/security\/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html\" target=\"_blank\" rel=\"nofollow noopener\">Atlassian&#8217;s own advisory<\/a>. It notes, however, that this option doesn&#8217;t eliminate the need to update Confluence Data Center or Confluence Server: it only temporarily thwarts a known attack vector.<\/p>\n<p>Additionally, organizations that use both Confluence Data Center and Confluence Server are advised to check whether this vulnerability has already been used in attacks against them. Some indications of CVE-2023-22515 exploitation are:<\/p>\n<ul>\n<li>Suspicious new members of the <code>confluence-administrators<\/code> group<\/li>\n<li>Unexpected newly created user accounts<\/li>\n<li>Requests to <code>\/setup\/*.action<\/code> in network access logs<\/li>\n<li>Presence of <code>\/setup\/setupadministrator.action<\/code> in an exception message in <code>atlassian-confluence-security.log<\/code> in the Confluence home directory.<\/li>\n<\/ul>\n<p>Keep in mind that gaining control over Confluence through CVE-2023-22515 exploitation is unlikely to be the attackers&#8217; primary goal. Instead, it will likely serve as a foothold to launch further attacks on the company&#8217;s information systems.<\/p>\n<p>To monitor suspicious activity in corporate infrastructure, use an <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/endpoint-detection-response-edr?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\">EDR (Endpoint Detection and Response) solution<\/a>. If your in-house information security team lacks the resources, you can outsource the job to an <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/managed-detection-and-response?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____\" target=\"_blank\">external service<\/a>, which will continuously search for threats targeting your organization and respond to them in a timely manner.<\/p>\n<p> <input type=\"hidden\" class=\"category_for_banner\" value=\"mdr\" \/> <br \/><a href=\"https:\/\/www.kaspersky.com\/blog\/confluence-data-center-server-vulnerability\/49404\/\" target=\"bwo\" >https:\/\/blog.kaspersky.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/10\/23094909\/confluence-data-center-server-vulnerability-featured.jpg\"\/><\/p>\n<p><strong>Credit to Author: Alanna Titterington| Date: Mon, 23 Oct 2023 14:40:47 +0000<\/strong><\/p>\n<p>A vulnerability \u2014 CVE-2023-22515 \u2014 in Atlassian Confluence Data Center and Confluence Server allows administrator accounts to be created without authentication.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10425,10378],"tags":[26411,1001,21782,12177,714,12321,10438,1583,10752,10467],"class_list":["post-23183","post","type-post","status-publish","format-standard","hentry","category-kaspersky","category-security","tag-atlassian","tag-business","tag-confluence","tag-enterprise","tag-security","tag-smb","tag-threats","tag-updates","tag-vulnerabilities","tag-vulnerability"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23183","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=23183"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23183\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=23183"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=23183"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=23183"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}