THREAT ALERT

Critical Severity Authentication Vulnerability: CVE-2023-22518

Thursday, November 2nd, 2023

VIEW ALL THREAT ALERTS

Cyber security risk management solutions from DefenseStorm.

A recent vulnerability has been discovered for Confluence Server and Data Center and is being tracked as CVE-2023-22518.  At this time of this writing, this vulnerability is NOT known to have been exploited; however, Atlassian is recommending that those impacted take immediate action.  The below information was taken directly from the Atlassian FAQ page for CVE-2023-22518, and the page was last updated on November 1, 2023.

A recent vulnerability has been discovered for Confluence Server and Data Center and is being tracked as CVE-2023-22518.  At this time of this writing, this vulnerability is NOT known to have been exploited; however, Atlassian is recommending that those impacted take immediate action.  The below information was taken directly from the Atlassian FAQ page for CVE-2023-22518, and the page was last updated on November 1, 2023.

Is my Confluence instance affected?

  • All versions of Confluence Data Center and Server are affected by this unexploited vulnerability.
  • There is no impact to confidentiality as an attacker cannot exfiltrate any instance data.
  • Atlassian strongly recommends patching vulnerable installations to one of the listed fixed versions (or any later version) below:
  • Product:   Confluence Data Center and Confluence Server
    • Fixed Version:
      • 7.19.16 or later
      • 8.3.4 or later
      • 8.4.4 or later
      • 8.5.3 or later
      • 8.6.1 or later (Data Center only)

** Confluence 8.6.0 is a Data Center only release and doesn’t support Server licenses. If you upgrade to version 8.6 or later, please ensure you have a valid Data Center license.

Are Cloud instances affected?

  • Atlassian Cloud sites are not impacted by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and not vulnerable to this issue.

My instance isn’t exposed to the Internet. Is a patch still recommended?

  • Yes. Instances that are not exposed to the public internet will have a reduced attack surface, but we strongly recommend applying the relevant patch.

My instance is NOT connected to the internet; what should I do? Am I safe?

  • If the Confluence instance cannot be accessed from the general internet, the risk of an exploit/attack is reduced.
  • Due to the critical nature of this vulnerability and the variety of ways in which instances can be accessed, please work with the local network/security team(s) to determine if immediate action is necessary. Out of an abundance of caution, the recommendation is to apply the patched version of Confluence, as listed on the Confluence Security Advisory page for CVE-2023-22518 still applies.

Does patching to a fixed version completely solve the issue?

  • Yes. Confluence versions that contain the fix for this vulnerability are no longer affected by this vulnerability.

I am running an affected version of Confluence. How can I mitigate the threat until I patch it?

  • Customers who are unable to immediately patch their Confluence Data Center and Server instances should back up their instances. Instances accessible over the public internet, including those with user authentication, should be restricted from external network access until they have been patched.
  • For guidance on backing up Confluence, please refer to the following pages:
    • https[:]//confluence[.]Atlassian[.]com/doc/production-backup-strategy-38797389[.]html

Are other Atlassian products affected by this vulnerability?

  • No, they are not affected by CVE-2023-22518. No action is required for other products.

Last modified on Nov 1, 2023

DefenseStorm Recommendations:

If you are impacted, regularly check the Atlassian FAQ for CVE-2023-22518 page to stay up to date on the latest patching instructions and guidance.

References:

[https[:]//confluence.atlassian[.]com/kb/faq-for-cve-2023-22518-1311474094[.]html]

James Bruhl

James Bruhl

Director of Cyber Threat Intelligence

James Bruhl is the Director of Cyber Threat Intelligence for DefenseStorm. He joined the company with 15 years of experience as a law enforcement officer, bringing extensive experience in crime prevention, evidence collection, investigative techniques, and crisis management. Driven by a passion for technological advancements and the ever-evolving landscape of digital threats, he transitioned to the field of digital forensics, incident response, and cybersecurity. In his role, he honed his skills in analyzing digital evidence, identifying cyber threats, and implementing robust security measures specializing in forensic examinations on various devices to uncover critical information and support investigations. James began at DefenseStorm as a security engineer in 2020 and developed DefenseStorm’s EDR Service. He was then appointed as Director of Cyber Threat Intelligence in 2022 and is responsible for nearly all facets of the EDR service. During his cyber career, James has been instrumental in proactively detecting and responding to cyber incidents and plays a vital role in incident response teams, coordination efforts to mitigate the impact of breaches, vulnerability identification, and strategy implementation to prevent future attacks. He continues to share his expertise by conducting training sessions, participating in conferences, and writing articles on topics related to digital forensics, incident response, and cybersecurity. James holds a bachelor’s in criminal justice from the University of North Georgia and a GCFE certification.