In today’s SensCy Cyber Alert, your SensCy team recommends Atlassian users to apply the necessary patches. The patches fix an actively exploited critical zero-day.
The zero-day vulnerability can be tracked as CVE-2023-22515 and is remotely exploitable and allow hackers to create unauthorized Confluence administrator accounts and access Confluence servers.
The vulnerability does not impact Confluence versions prior to 8.0.0.
The patch are available for the following versions of Confluence Data Center and Server.
- 8.3.3 or later
- 8.4.3 or later, and
- 8.5.2 (Long Term Support release) or later
If you are unable to apply the update we advise to restrict external network access to affected instances.
“Additionally, you can mitigate known attack vectors for this vulnerability by blocking access to the /setup/* endpoints on Confluence instances,” Atlassian said. “This is possible at the network layer or by making the following changes to Confluence configuration files.”
Here are some indicators of compromise (IoCs) to determine if you Atlassian instance was breached. We recommend to shut down immediately if breached:
- unexpected members of the confluence-administrator group
- unexpected newly created user accounts
- requests to /setup/*.action in network access logs
- presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
If you have any questions, please contact your Cyber Advocate.