The discovery of CVE-2023-22518 presents a significant concern for organizations using Confluence Data Center and Server. Atlassian has granted the vulnerability a 10/10 CVSS score based on an internal assessment, however the NVD has yet to provide a score. This is the second major vulnerability discovered in Atlassian Confluence over the past few weeks; CVE-2023-22515, which the NVD rated a 9.8/10 on the CVSS v3.1 scale, is a broken access control bug that’s been generating major concern throughout the cybersecurity community over the past few weeks. Exploitation of Improper Authorization Vulnerability CVE-2023-22518 “allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account,” according to the NVD’s summary. Using said account, attackers can perform all tasks typically available to an administrator, leading to a full compromisation of the CIA triad. Atlassian, the company behind Confluence, has acknowledged the vulnerability and released patches to address the issue.
Threat Detection
Signs of a potential compromise include:
- Loss of login access.
- Suspicious requests to
/json/setup-restore*
endpoints in access logs. - Installation of unknown plugins, particularly any named
web.shell.Plugin
. - Encrypted files or corrupted data.
- Unusual entries in the
confluence-administrators
group or newly created user accounts
Rapid7 Managed Detection and Response also created a list of indicators of compromise associated with the exploitation of CVE-2023-22518:
IP addresses:
- 193.176.179[.]41
- 193.43.72[.]11
- 45.145.6[.]112
Domains:j3qxmk6g5sk3zw62i2yhjnwmhm55rfz47fdyfkhaithlpelfjdokdxad[.]onion
File hashes:
- Bat file:
/tmp/agttydcb.bat
– MD5: 81b760d4057c7c704f18c3f6b3e6b2c4 - ELF ransomware binary:
/tmp/qnetd
– SHA256: 4ed46b98d047f5ed26553c6f4fded7209933ca9632b998d265870e3557a5cdfe
Ransom note: read-me3.txt
If you detect any of these indicators, assume that your instance has been compromised and enact your security incident response plan.
Advisory and Immediate Action Steps
On discovering the vulnerability, Atlassian’s Chief Information Security Officer issued a statement urging immediate action. Given the potential for significant data loss, it’s critical that organizations utilizing affected Confluence versions respond as soon as possible.
In order to secure your systems:
- Patch Immediately: Update to one of the fixed versions provided by Atlassian, which includes 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1.
- Temporary Mitigations: If patching is not feasible immediately, you should:
- Backup your instance.
- Remove your instance from public internet access, if possible.
- Apply interim mitigation measures by blocking specific endpoints (
/json/setup-restore.action
,/json/setup-restore-local.action
,/json/setup-restore-progress.action
) at the network layer or by updating theweb.xml
configuration file in your Confluence installation.
For more information on CVE 2023-22518, refer to the NVD entry and Atlassian’s report on the vulnerability.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –