Security operations · 1 MIN READ · AARON WALTON · OCT 4, 2023 · TAGS: Alert
What happened?
A vulnerability in Confluence Data Center and Server, CVE-2023-22515, allows attackers to create administrative accounts on external-facing Confluence servers. Atlassian reports that attackers are exploiting the vulnerability, and the company has published a patch to remediate.
Note that this vulnerability only affects Confluence Data Center and Server versions between 8.0 and 8.5.1. Expel has not been affected.
Why does it matter?
Attackers are already exploiting this vulnerability and it’s unclear how long they have known about it (and using it). As such, Atlassian currently rates the severity level of this vulnerability as critical.
What are we doing for our customers?
Expel’s Detection and Response team, which includes both managed detection and response (MDR) detections and threat hunting, is examining this threat to see what detection and threat hunting logic [e.g., behavioral or indicators of compromise (IOC) hunt] we can apply to detect this activity with acceptable fidelity.
What should you do right now?
We recommend implementing the applicable patches and updates when appropriate and able.
- Upgrade your Confluence instance if you’re using Confluence Data Center or Server between version 8.0 and 8.5.1.
- Review for IOCs, such as unexpected members of the confluence-administrator group or other newly created user accounts.
Strategically, we recommend using vulnerability management scanners to identify and remediate this vulnerability.
What next?
We’ll update this post with any big developments, but keep an eye on our socials (@ExpelSecurity) for additional recommendations as they emerge.
