In the article, experts from S-RM's Cyber Incident Response team provide remediation advice and insights into the Indicators of Compromise for two high-profile Confluence vulnerabilities.
Background
On 31 October 2023, Atlassian disclosed a new Confluence vulnerability, CVE-2023-22518, following the critical broken access control zero-day, CVE-2023-22515, disclosure just over a month earlier. This newly published vulnerability received a maximum severity score of CVSS 10, the highest level of criticality possible.
The actively exploited vulnerability affects all versions of Confluence Data Center and on-premise servers, and allows for an unauthenticated attacker to reset Confluence and establish an administrator account, and even to encrypt targeted users’ files with Cerber ransomware.
Remediation
We recommend that if your organisation uses Confluence Data Center and server products that you immediately patch to a fixed version. If unable to patch, we recommend removing your Confluence instance from the internet until you can patch, or follow this guidance directly from Atlassian:
CVE-2023-22518
1. On each node, modify /<confluence-install-dir>/confluence/WEB-INF/web.xml and add the following block of code (just before the </web-app> tag at the end of the file):
<security-constraint>
<web-resource-collection>
<url-pattern>/json/setup-restore.action</url-pattern>
<url-pattern>/json/setup-restore-local.action</url-pattern>
<url-pattern>/json/setup-restore-progress.action</url-pattern>
<http-method-omission>*</http-method-omission>
</web-resource-collection>
<auth-constraint />
</security-constraint>
2. Restart Confluence.
CVE-2023-22515
1. On each node, modify /<confluence-install-dir>/confluence/WEB-INF/web.xml and add the following block of code (just before the </web-app> tag at the end of the file):
<security-constraint>
<web-resource-collection>
<url-pattern>/setup/*</url-pattern>
<http-method-omission>*</http-method-omission>
</web-resource-collection>
<auth-constraint />
</security-constraint>
2. Restart Confluence.
Note: These mitigation actions are limited and are not a replacement for upgrading your Confluence instance. You must patch to a fixed version as soon as possible.
Indicators of Compromise
Security researchers have observed multiple attempts to exploit web-accessible Confluence servers, with most targeting CVE-2023-22518, and a smaller proportion targeting CVE-2023-22515. Known targeting of organisations are in the following locations: US, Australia, Ukraine, Latvia and Moldova.
In addition, Atlassian has identified several indicators of compromise associated with the exploitation of these vulnerabilities. If you have any versions of Confluence Data Center and on-premise servers, you should search for these indicators to confirm that your appliance has not already been compromised. This includes:
CVE-2023-22518
- Loss of login access to the instance
- Requests to /json/setup-restore*in network access logs
- Installed unknown plugins, specifically shell.Plugin
- Encrypted files or corrupted data
- Unexpected members of the confluence-administrators group
- Unexpected newly created user accounts.
CVE-2023-22515
- Unexpected members of the confluence-administrators group
- Unexpected newly created user accounts
- Installed unknown plugins
- Requests to /setup/*.action in network access logs
- Presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
If any evidence of compromise is identified on your network, or you would like any advice on how to remediate a compromise, please reach out to our dedicated incident response hotline at cyberir@s-rminform.com.