Multiple government and cyber authorities reported on Monday that threat actors exploited a critical (9.8 CVSS) zero-day vulnerability in Atlassian Confluence Data Center and Server.
In a joint Cybersecurity Advisory (CSA) released by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), network administrators were advised to apply the updates and the incident response recommendations outlined in the new CSA.
The vulnerability — CVE-2023-22515 — has been reportedly exploited by a Chinese-backed threat actor Microsoft tracks at Storm-0062 since Sept. 14, roughly two weeks before Atlassian released patches for it. Storm-0062 is believed to be associated with the Chinese Ministry of State Security.
While this CVE in Atlassian’s Confluence server does not apply to Atlassian’s cloud-based Confluence offering, the bug does let adversaries remotely create Confluence administrative accounts, and thereby provide them unfettered control over a Confluence instance, explained John Allison, director of program management for FedRAMP at Checkmarx.
Sensitive software information could be exposed in Confluence instances
Allison said Confluence gets used widely by software developers to share information across their teams, and it’s often integrated with a variety of different data sources. This vulnerability may offer adversaries access to all this information, and to have the ability to disable or subvert any Confluence data and integrations, said Allison.
“If Confluence is used by developers to document sensitive design information, such as known vulnerabilities or security weaknesses within the developer’s own product, this information may provide adversaries vital information that can be used for further attacks,” explained Allison. "The impact of this vulnerability is directly related to what information is stored in Confluence and has a good probability of impacting Atlassian customers. Even if not exploited, all customers will need to inspect their instance to determine if they have been compromised.”
Confluence can often hold vast amounts of proprietary information about a certain product, a piece of software, software/hardware documentation, and even the intellectual property behind a certain security solution, said Stephen Gates, Security SME at Horizon3.ai.
Click for more special coverage
“Information stored in Confluence could include how a product works, where it is vulnerable, the code it executes, what a company is working on now, what is coming next, you name it,” said Gates. “One of the worst-case scenarios is if attackers gain full access to a cybersecurity vendor’s Confluence instance. This could allow attackers to gain vast amounts of knowledge about their solution, their company, and their employees that most would rather not have exposed.”
Zane Bond, head of product at Keeper Security, added that the Atlassian Confluence vulnerability is serious, has been actively exploited in the wild, and administrators should patch it immediately.
“The ease of exploitation makes it critical for Atlassian customers to upgrade their Confluence instance as soon as possible to one of the fixed versions, or take the service offline until it can be updated, especially now that this vulnerability is public knowledge,” said Bond. “Additionally, employees need to be hyper-vigilant when it comes to IOCs, including new or suspicious admin user accounts.”