Last updated at Fri, 06 Oct 2023 14:42:46 GMT
2023年10月4日,Atlassian发布了一份 安全咨询 cve - 2023 - 22515, a critical vulnerability affecting on-premises instances of Confluence Server 和 Confluence Data Center. CVE-2023-22515 was originally announced as a privilege escalation vulnerability, but was later changed to a broken access control flaw. Atlassian does not further specify the root cause of the vulnerability or where exactly the flaw resides in Confluence implementations, though the indicators of compromise include mention of the /setup/* endpoints.
The 咨询 indicates that “Atlassian has been made aware of an issue reported by a h和ful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center 和 Server instances to create unauthorized Confluence administrator accounts 和 access Confluence instances.”
当我们最初发表这篇博客时, 我们说这是不寻常的, 虽然不是史无前例的, for a privilege escalation vulnerability to carry a critical severity rating. Atlassian’s 咨询 implies that the vulnerability is remotely exploitable, which is typically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself. It’s possible that the vulnerability could allow a regular user account to elevate to admin — Confluence allows for new user sign-ups with no approval, 但此功能在默认情况下是禁用的.
更新: Rapid7的 研究小组 has identified 和 triggered the vulnerability, which is fully unauthenticated 和 trivially exploitable. For whatever reason, we did not observe the same exception message that Atlassian 在他们的FAQ中提到. 根据我们的分析, it's likely that there are other avenues of attack in addition to the creation of a new admin user. 值得注意的是,我们的团队利用了 /服务器信息.行动 endpoint, which Atlassian did not mention in their IOCs.
Since CVE-2023-22515 has been exploited in user environments, Atlassian recommends that on-premises Confluence Server 和 Data Center customers update to a fixed version immediately, 或者实现缓解措施. The 咨询 notes that “Instances on the public inter网 are particularly at risk, as this vulnerability is exploitable anonymously.” Indicators of compromise are included in the 咨询 和 are reproduced in the 缓解指导 下面的部分.
受影响的产品
The following versions of Confluence Server 和 Data Center are affected:
- 8.0.0
- 8.0.1
- 8.0.2
- 8.0.3
- 8.0.4
- 8.1.0
- 8.1.1
- 8.1.3
- 8.1.4
- 8.2.0
- 8.2.1
- 8.2.2
- 8.2.3
- 8.3.0
- 8.3.1
- 8.3.2
- 8.4.0
- 8.4.1
- 8.4.2
- 8.5.0
- 8.5.1
8之前的版本.0.0不受此漏洞影响. Atlassian Cloud sites are not affected by this vulnerability. 汇流站点访问通过一个 atlassian.网 domain are hosted by Atlassian 和 are not vulnerable to this issue.
固定的版本:
- 8.3.3岁或以上
- 8.4.3岁或以上
- 8.5.2(长期支持版本)或更高版本
有关更多信息,请参阅 Atlassian咨询 和 发布说明.
缓解指导
On-prem Confluence Server 和 Confluence Data Center customers should upgrade to a fixed version immediately, restricting external 网work access to vulnerable systems until they are able to do so. The Atlassian咨询 says that known attack vectors can be mitigated by blocking access to the /setup/* endpoints on Confluence instances. 关于这样做的说明在 咨询.
Atlassian recommends checking all affected Confluence instances for the following indicators of compromise:
- Unexpected members of the confluence-administrator group
- 意外新建的用户帐户
- 请求/setup/*.上网日志中的动作
- 存在/setup/setupadministrator.行动 in an exception message in atlassian-confluence-security.登录Confluence主目录
As mentioned earlier, the Rapid7 team was able to identify 和 trigger the vulnerability. 在这样做的过程中,我们利用了 /服务器信息.行动 endpoint, which Atlassian did not mention in their IOCs.
Rapid7客户
InsightVM 和 Nexpose customers will be able to assess their exposure to CVE-2023-22515 with a remote version-based vulnerability check expected to be available in today’s (October 4) content release.
更新
2023年10月5日: Updated to note that the Rapid7 team has identified 和 triggered the vulnerability, 哪一个是微不足道的可利用性. 我们的团队利用了 /服务器信息.行动 endpoint, which has been added to the IOCs above.
2023年10月6日: Updated to note that Atlassian has changed their 描述 of the vulnerability from "privilege escalation" to "broken access control."
