Summary
A critical severity flaw exists in all versions of Atlassian’s Confluence Data Center and Server. It is classified as CVE-2023-22518 with a CVSS score of 9.1 and is defined as an Improper Authorization Vulnerability by Atlassian. There is no evidence of active exploitation, but the CISO of Atlassian, Bala Sathiamurthy, has stated that customers should refer to the security advisory and take immediate action to protect their instances of Confluence Data Center and Server.
Impact Assessment
Atlassian’s Confluence Data Center and Server is a critical piece of infrastructure for any business that utilizes it. If the vulnerability is exploited it can allow an attacker to assume the identity of another user or give themselves access to actions they should not be able to do such as assigning roles, editing code, and managing or editing projects that exist in Confluence. This vulnerability stems from improper access control within the software.
What it means for you
Exploitation of this vulnerability by a bad actor or insider threat can lead to a myriad of problems such as information exposure, denial of service, and arbitrary code execution. If you or your organization utilize Atlassian’s Confluence Data Center and Server it is in your best interest to patch your instance of this software to the latest version as per vendor instructions.
Remediation
The vendor recommends upgrading the instance of this software to a fixed version:
Products
- Confluence Data Center
- Confluence Server
Fixed Versions
- 7.19.16 or later
- 8.3.4 or later
- 8.4.4 or later
- 8.5.3 or later
- 8.6.1 or later
The vendor has also supplied mitigations, they recommend to back up your instance as well as removing the instance from access to the public internet until your organization is able to patch this software.
Business Implications
Exploitation of this vulnerability could cause extreme damage to daily workflows. This software can be essential for business-as-usual activities such as ticketing, programming, projects, etc. This can cause information exposure, denial of service, and arbitrary code execution which will result in costs for the business for triage and incident response, costs due to lack of productivity.
Access Point Technology Recommends
Patch — Access Point Technology recommends patching this software if it is used as soon as possible as recommended by the vendor.
Apply Mitigations — The vendor has supplied recommendations for mitigations which include making a backup of your current instance as well as removing the instance of confluence from access to the external internet until it is patched.
Associated Bulletins
https://cwe.mitre.org/data/definitions/285.html
https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
https://jira.atlassian.com/browse/CONFSERVER-93142
https://www.cve.org/CVERecord?id=CVE-2023-22518
.webp)
.png)
