Enterprise software program maker Atlassian on Wednesday known as instant consideration to a significant security defect in its Confluence Data Middle and Server merchandise and warned that the problem has already been exploited as zero-day within the wild.
An pressing advisory from Atlassian confirms that “a handful of consumers” had been hit by exploits focusing on a remotely exploitable flaw in Confluence Data Middle and Server cases.
“Atlassian has been made conscious of a problem reported by a handful of consumers the place exterior attackers might have exploited a beforehand unknown vulnerability in publicly accessible Confluence Data Middle and Server cases to create unauthorized Confluence administrator accounts and entry Confluence cases,” the Australian firm stated.
The vulnerability, tracked as CVE-2023-22515, is described as a remotely exploitable privilege escalation problem affecting on-prem cases of Confluence Server and Confluence Data Middle.
“Cases on the general public web are notably in danger, as this vulnerability is exploitable anonymously,” Atlassian warned. “If an occasion has already been compromised, upgrading won’t take away the compromise.”
The corporate stated Atlassian Cloud websites will not be weak to this problem.
Safety vendor Rapid7 is underscoring the urgency for companies to use accessible patches and mitigations.
“Atlassian’s advisory implies that the vulnerability is remotely exploitable, which is usually extra according to an authentication bypass or distant code execution chain than a privilege escalation problem by itself,” Rapid7’s Caitlin Condon stated.
Atlassian has printed an FAQ urging enterprise customers to right away examine all affected Confluence cases for the next indicators of compromise:
- Sudden members of the confluence-administrator group
- Sudden newly created consumer accounts
- Requests to /setup/*.motion in community entry logs
- Presence of /setup/setupadministrator.motion in an exception message in atlassian-confluence-security.log within the Confluence house listing
“Whether it is decided that your occasion has been compromised, our recommendation is to right away shut down and disconnect the server from the community/Web. Additionally, it’s possible you’ll wish to instantly shut down another methods which probably share a consumer base or have widespread username/password mixtures with the compromised system,” Atlassian added.
Safety issues in Atlassian’s software program merchandise have been focused up to now by each cybercriminal and state-sponsored risk actors. In CISA’s KEV (Recognized Exploited Vulnerabilities) catalog, there are six distinct Confluence vulnerabilities marked for pressing consideration.
