On October 4, 2023, Atlassian disclosed an advisory for CVE-2023-22515, a broken access control vulnerability that allows an unauthenticated user to create Confluence administrator accounts.
Key points and observations:
- October 4, 2023: Advisory is publicly disclosed by Atlassian.
- October 5, 2023: CISA adds CVE-2023-22515 to Known Exploited Vulnerabilities Catalog.
- October 5, 2023: A security researcher was able to exploit the vulnerability.
- October 10, 2023: Rapid7 publishes a detailed article on the vulnerability and how it can be exploited
- October 11, 2023: Microsoft Threat Intelligence reports that they have witnessed nation-state actors exploiting the vulnerability since at least September 14, 2023, along with early indicators of compromise.
This vulnerability is trivial to exploit and affects a wide range of Atlassian Confluence Server versions.
Check if your system is vulnerable
The following versions of Confluence Data Center and Confluence are impacted by CVE-2023-22515. If you are running one of these versions, your system is vulnerable.
- 8.0.0 - 8.0.4 (included)
- 8.1.0 - 8.1.4 (included)
- 8.2.0 - 8.2.3 (included)
- 8.3.0 - 8.3.2 (included)
- 8.4.0 - 8.4.3 (included)
- 8.5.0 - 8.5.1 (included)
According to Atlassian, versions prior to 8.0.0 are not vulnerable, and neither are Atlassian Cloud Sites.
Remediate affected systems
To remediate a vulnerable Confluence Data Center or Server instance, make sure to upgrade it to one of the following versions:
- 8.3.3 or later
- 8.4.3 or later
- 8.5.2 (LTS) or later
Considering this vulnerability is—at the time of writing—under active exploitation, we recommend patching as soon as possible, especially for internet-facing instances.
How the CVE-2023-22215 vulnerability works
Without going into too much detail (a post from Rapid7 explains all the details), the vulnerability relies on the fact that it is possible to re-enable the setup process without being authenticated, then to give access to setup endpoints so that an attacker can create new administrator users.
To ease reproduction for security teams, we have put together a Docker lab environment with a vulnerable Confluence instance and step-by-step instructions on how to exploit the vulnerability.
Activity in the wild
Starting from October 5th, we have witnessed extensive exploitation of this vulnerability in the wild, from a number of different source IP addresses, in a large number of environments we monitor.
We used our modular honeypot framework, HASH, to deploy Confluence honeypots. Based on this, we were able to identify that attackers have been attempting to create the following malicious Confluence users:
| User name | Full name |
|---|---|
| Atlassian_SU | Atlassian_SU |
| pleasepatch | pleasepatch |
| kh4sh3i | kh4sh3i |
| YourNewAdminLogin | YourNewAdminLogin |
| s9wixhxfox | admin |
In addition, we have seen scanning or exploitation activity from a number of IP addresses. We only report IP addresses we have a high confidence for, and that we have seen in at least 5 distinct environments or directly exploiting our honeypots.
136.244.104.119
139.144.177.101
142.93.108.209
142.93.65.171
143.198.237.138
146.190.134.234
146.190.60.175
161.35.140.213
161.97.175.233
161.97.83.47
162.240.152.212
162.240.154.218
163.172.184.43
163.172.186.96
195.80.148.18
207.180.202.75
212.102.41.41
212.47.247.49
27.149.92.221
38.73.238.197
38.54.30.237
45.33.13.129
51.158.112.167
85.214.226.11
85.239.241.172
89.116.24.223
We have also observed activity from the following HTTP user agents:
https://github.com/Chocapikk/CVE-2023-22515
Nuclei - Open-source project (github.com/projectdiscovery/nuclei)
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Detection opportunities
You can identify exploitation attempts by detecting the following HTTP requests:
GET /server-info.action, with one of the URL parameters below:
bootstrapStatusProvider.applicationConfig.setupComplete=false
bootstrapStatusProvider.applicationConfig.setupComplete=0
POST /setup/setupadministrator.actionPOST /setup/finishsetup.action(optionally - not required to exploit the vulnerability)
Upon successful exploitation of this vulnerability, an administrator user is created. You can therefore review administrator users and identify any newly created or suspicious admin user.
In the example below, we can see a malicious user that was created through the exploitation of the vulnerability:
How Datadog can help
When using a Datadog integration to send HTTP server logs (such as nginx or HAProxy), you can use the following query to identify potential probing or exploitation of this vulnerability:
@http.url_details.path:("server-info.action" OR "/setup/setupadministrator.action")
Although Datadog Application Performance Monitoring (APM) is not usually installed on Confluence servers, you can use it to identify scanning activity on unrelated services, using the following query:
@http.url_details.path:/server-info.action @http.url_details.queryString.bootstrapStatusProvider.applicationConfig.setupComplete:(0 OR false)
Conclusion
CVE-2023-22515 presents a significant security risk, as it allows unauthenticated users to create administrator accounts in vulnerable versions of Atlassian Confluence Server. At the time of writing, this vulnerability is under active exploitation and affects a wide range of Confluence Server versions. As such, we recommend upgrading to non-vulnerable versions of Confluence Data Center and Confluence Server as soon as possible.
We hope that the details provided in this blog post, the list of potentially malicious IP addresses, and the lab environment to reproduce the vulnerability will help security practitioners better understand, detect, and mitigate this threat.
