CISA, FBI, and MS-ISAC have issued an urgent warning to network administrators, urging them to take immediate action to secure their Atlassian Confluence servers. The reason for this alarm is a highly critical vulnerability known as CVE-2023-22515, which is currently being actively exploited by malicious actors.
Link to the official Atlassian Confluence Servers.
This particular security flaw poses a significant risk as it allows for privilege escalation, granting unauthorized access to sensitive systems and data. What makes it even more concerning is that it affects Confluence Data Center and Server versions 8.0.0 and later. The severity of this vulnerability is underscored by the fact that it can be exploited remotely without the need for any user interaction. In other words, attackers can compromise these systems with relatively low-complexity attacks, making it a significant threat.
Atlassian, the company behind Confluence, had already taken steps to address this issue by releasing security updates on October 4. They advised their customers to act promptly and upgrade their Confluence instances to one of the fixed versions, which include 8.3.3 or later, 8.4.3 or later, and 8.5.2 or later. This urgent call to action was driven by the fact that the vulnerability had already been exploited in the wild as a zero-day, meaning that attackers were actively taking advantage of it before it became publicly known.
For those who were unable to perform the upgrades immediately, Atlassian recommended taking precautions such as shutting down impacted instances or isolating them from Internet access. Additionally, administrators were advised to be vigilant and look out for potential indicators of compromise, such as the presence of new or suspicious admin user accounts.
Adding to the gravity of the situation, just a week after CISA identified this vulnerability as actively exploited, Microsoft disclosed that a threat group believed to be backed by Chinese actors, known as Storm-0062 (also referred to as DarkShadow or Oro0lxy), had been exploiting the vulnerability as a zero-day since at least September 14, 2023. This revelation further emphasizes the urgency of addressing this issue.
In response to these developments, CISA, FBI, and MS-ISAC jointly issued a strong and unequivocal call to action for network administrators. They urged network administrators to promptly apply the upgrades provided by Atlassian to secure their Confluence servers. This collaborative warning underscores the critical nature of this vulnerability and the potential consequences of leaving it unpatched. Network administrators are strongly encouraged to act swiftly to protect their systems and data from the ongoing threats exploiting this flaw.