=====================================================================

                               CERT-Renater

                     Note d'Information No. 2023/VULN379

_____________________________________________________________________

DATE                : 06/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Atlassian Confluence Data Center
                     and Server versions prior to 8.3.3, 8.4.3, 8.5.2.

=====================================================================
https://confluence.atlassian.com/security/cve-2023-22515-broken-access-control-vulnerability-in-confluence-data-center-and-server-1295682276.html
_____________________________________________________________________

CVE-2023-22515 - Broken Access Control Vulnerability in Confluence
Data Center and Server


The Atlassian Community is here for you.

Ask the community
CVE-2023-22515 - Broken Access Control Vulnerability in Confluence
Data Center and Server

Summary	CVE-2023-22515 - Broken Access Control Vulnerability in
Confluence Data Center and Server

Advisory Release Date	Wed, Oct 4th 2023 06:00 PDT

Products	

     Confluence Data Center
     Confluence Server

CVE ID	CVE-2023-22515
Related Jira Ticket(s)	

     CONFSERVER-92475

This advisory has been updated since the initial publication.
Changes since initial publication

Clarified Confluence versions prior to 8.0.0 are not affected.

04 Oct 2023 2:20 PM UTC (Coordinated Universal Time, +0 hours)

Edited group name in Threat detection section to the correct
one - confluence-administrators
05 Oct 2023 8.30 AM UTC (Coordinated Universal Time, +0 hours)

Clarified Category as Broken Access Control to align with OWASP definition.

05 Oct 2023 9:35 PM UTC (Coordinated Universal Time, +0 hours)


Summary of Vulnerability

Atlassian has been made aware of an issue reported by a handful of
customers where external attackers may have exploited a previously
unknown vulnerability in publicly accessible Confluence Data Center
and Server instances to create unauthorized Confluence administrator
accounts and access Confluence instances.

Atlassian Cloud sites are not affected by this vulnerability.

If your Confluence site is accessed via an atlassian.net domain, it
is hosted by Atlassian and is not vulnerable to this issue.


Severity

Atlassian rates the severity level of this vulnerability as critical,
according to the scale published in our Atlassian severity levels.
The scale allows us to rank the severity as critical, high, moderate
or low.

This is our assessment, and you should evaluate its applicability to
your own IT environment.


Affected Versions

The Confluence Data Center and Server versions listed below are
affected by this vulnerability. Customers using these versions
should upgrade your instance as soon as possible.

Versions prior to 8.0.0 are not affected by this vulnerability.


Product	Affected Versions

Confluence Data Center and Confluence Server	

     8.0.0
     8.0.1
     8.0.2
     8.0.3
     8.0.4
     8.1.0
     8.1.1
     8.1.3
     8.1.4
     8.2.0
     8.2.1
     8.2.2
     8.2.3
     8.3.0
     8.3.1
     8.3.2
     8.4.0
     8.4.1
     8.4.2
     8.5.0
     8.5.1


Instances on the public internet are particularly at risk, as
this vulnerability is exploitable anonymously.


What You Need To Do

For affected versions, we strongly recommend:

     Upgrading to the fixed versions of Confluence Server or
Data Center.

         If unable to upgrade promptly, implement mitigations.

     Engaging your security team and checking for indicators of
compromise (refer to the Threat Detection section below).


Fixed Versions

Atlassian recommends that you upgrade each of your affected
installations to one of the listed fixed versions (or any
later version) below.


Product	Fixed Versions

Confluence Data Center and Confluence Server	

     8.3.3 or later
     8.4.3 or later
     8.5.2 (Long Term Support release) or later

For a full description of the latest versions of Confluence
Data Center and Confluence Server, see the release notes,
here. You can download the latest version from the download
center, here.


Mitigation

If you are unable to upgrade Confluence, as an interim measure
we recommend restricting external network access to the
affected instance.

Additionally, you can mitigate known attack vectors for this
vulnerability by blocking access to the /setup/* endpoints
on Confluence instances. This is possible at the network
layer or by making the following changes to Confluence
configuration files.


     On each node, modify 
/<confluence-install-dir>/confluence/WEB-INF/web.xml  and add the 
following block of code (just before the </web-app> tag at the end of 
the file):

     <security-constraint>
           <web-resource-collection>
             <url-pattern>/setup/*</url-pattern>
     			<http-method-omission>*</http-method-omission>
     		</web-resource-collection>
           <auth-constraint />
     	</security-constraint>

     Restart Confluence.


This action will block access to setup pages that are not
required for typical Confluence usage, for further details
see the FAQ page below.


Threat detection

As well as upgrading to a fixed version, we recommend you check
all affected Confluence instances for the following indicators
of compromise:

     unexpected members of the confluence-administrators group

     unexpected newly created user accounts

     requests to /setup/*.action in network access logs

     presence of /setup/setupadministrator.action in an exception
message in atlassian-confluence-security.log in the Confluence
home directory

Further details on how to do the above are available in the FAQ.


Frequently Asked Questions (FAQ)

More details can be found at the Frequently Asked Questions (FAQ)
page.


Support

If you did not receive an email for this advisory, and you wish
to receive such emails in the future go to
https://my.atlassian.com/email and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory,
please raise a support request at
https://support.atlassian.com/.


References

Security Bug Fix Policy	As per our new policy critical security
bug fixes will be back ported. We will release new maintenance
releases for the versions covered by the policy instead of
binary patches.


Binary patches are no longer released.

Severity Levels for Security Issues	Atlassian security advisories
include a severity level and a CVE identifier. This severity
level is based on our self-calculated CVSS score for each
specific vulnerability. CVSS is an industry standard
vulnerability metric. You can also learn more about CVSS
at FIRST.org.


End of Life Policy	Our end of life policy varies for
different products. Please refer to our EOL Policy for
details.


Last modified on Oct 5, 2023
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================