CI Operators:
Atlassian has announced a privilege escalation vulnerability in Confluence Data Center and Server version 8.x [1] . The vulnerability has a CVSSv3 score of 8.5 and is tracked as CVE-2023-22513 [2].
Impact:
Attackers are exploiting a previously unknown vulnerability in Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and gain access to Confluence instances. This is a zero-day vulnerability active in the wild.
Affected Software:
Confluence Data Center and Confluence Server:
Note that Atlassian Cloud sites are not affected by this vulnerability.
Recommendation:
Upgrade your instance [3] as soon as possible. Until then, it is recommended to restrict external network access to your Confluence instance. Additionally, you can mitigate attacks by blocking access to the "/setup/*" endpoints on your Confluence instances by modifying "/<confluence-install-dir>/confluence/WEB-INF/web.xml" on each node and adding the following block just before the "</web-app>" tag at the end of the file:
<security-constraint>
<web-resource-collection>
<url-pattern>/setup/*</url-pattern>
<http-method-omission>*</http-method-omission>
</web-resource-collection>
<auth-constraint />
</security-constraint>
After changing the web.xml files, restart Confluence.
References:
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22513
[3] https://confluence.atlassian.com/doc/upgrading-confluence-4578.html
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.