TL;DR :
A vulnerability in Confluence Data Center and Server allows attackers to create administrative accounts for themselves.
The details:
Atlassian published a patch to remediate CVE-2023-22515 which can be leveraged by external actors to create administrative accounts on external-facing Confluence servers. Atlassian stated that the vulnerability has been leveraged by attackers.
The vulnerability only affects Confluence Data Center and Server versions between 8.0 and 8.5.1 the Confluence patch is currently available.
Why we are telling you:
Attackers are already exploiting this vulnerability and it’s unclear how long they have known about the vulnerability. As such, Atlassian currently rates the severity level of this vulnerability as Critical.
Immediate recommendations:
- Upgrade your Confluence instance if you’re using Confluence Data Center or Server between version 8.0 and 8.5.1.
- Review for indicators of compromise such as unexpected members of the confluence-administrator group or other newly created user accounts.
Strategic recommendations:
- Utilize vulnerability management scanners to identify and remediate the vulnerability.
What we’re doing:
Expel’s Detection and Response team, which includes both MDR detections and threat hunting, is examining this threat to see what detection and hunting logic (e.g. behavioral or IOC hunt) we can apply to detect this activity with acceptable fidelity.
We recommend implementing the applicable patches and updates when appropriate and able.
More Info/ References: