Atlassian warns of Confluence data exploit to clear bug, get patched

Atlassian has warned the administrator that a public exploit is now available due to a critical Confluence security flaw that can be used in data destruction attacks targeting exposed and unregistered instances of the Internet.

Tracked as CVE-2023-22518, this bypass vulnerability with a severity rating of 9.1/10 affects all versions of Confluence Data Center and Confluence Server software.

Atlassian warned in an initial advisory update that it has discovered a publicly available exploit that puts publicly accessible environments at significant risk.

“As part of Atlassian’s ongoing monitoring of this CVE, we have seen the public posting of critical information about the vulnerability increasing the risk of exploitation,” the company said.

“There have been no reports of active exploits, although customers should take immediate action to secure their settings. If you have already applied the patch, no further action is required.”

Although attackers can exploit the vulnerability to wipe data from affected servers, it cannot be used to steal data stored in vulnerable situations. It is also important to mention that Atlassian Cloud sites accessed through the atlassian.net domain are not affected, according to Atlassian.

Today’s warning follows one issued by Atlassian’s Chief Information Security Officer (CISO) Bala Sathiamurthy when the vulnerability was released on Tuesday.

“As part of our ongoing security assessment processes, we have discovered that Confluence Data Center and Server customers are at risk of losing valuable data if exploited by an unauthorized attacker,” said Sathiamurthy.

“There are no reports of active exploitation at this time; however, customers should take immediate action to protect their accounts.”

Atlassian has fixed the critical vulnerability CVE-2023-22518 in Confluence Data Center and server versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1.

Mitigation measures are available

The company urged regulators to update their software immediately and, if that is not possible, to implement mitigation measures, including backing up undocumented instances and blocking Internet access to undocumented servers until they are updated.

If you can quickly patch your Confluence instances, you can also remove known vectors by blocking access to the following endpoints by modifying //confluence/WEB-INF/web.xml as described in the advisory and restarting the vulnerable state:

  1. /json/setup-restore.action
  2. /json/setup-restore-local.action
  3. /json/setup-restore-progress.action

“These mitigation actions are limited and do not take the place of patching your site; you should take immediate action,” warns Atlassian.

Last month, CISA, FBI, and MS-ISAC warned defenders to immediately patch Atlassian Confluence servers against a continuously exploited flaw tracked as CVE-2023-22515.

Microsoft later discovered that a China-backed threat group identified as Storm-0062 (also known as DarkShadow or Oro0lxy) used the flaw as a zero-day from September 14, 2023.

Protecting vulnerable Confluence servers is critical, given their previous targeting of widespread attacks that pushed AvosLocker and Cerber2021 ransomware, Linux botnet malware, and crypto miners.