Critical Atlassian Bug Exploit Now Available; Immediate Patching Needed

Proof of concept (PoC) exploit code for a critical vulnerability that Atlassian disclosed in its Confluence Data Center and Server technology has become publicly available, heightening the need for organizations using the collaboration platform to immediately apply the company's fix for it.

ShadowServer, which monitors the Internet for malicious activity, on Nov. 3 reported that it observed attempts to exploit the Atlassian vulnerability from at least 36 unique IP addresses over the last 24 hours.

Atlassian disclosed the near maximum severity bug (9.1 out of 10 on the CVSS scale) on Oct. 31 with a warning from its CISO about the vulnerability presenting a risk of "significant data loss" if exploited.

Vulnerability Information Publicly Available

The bug, assigned the identifier CVE-2023-22518, affects customers of all versions of Atlassian Data Center and Atlassian Server but not those using the company's cloud hosted versions of these technologies. Atlassian's description of the bug identified it as an issue that involves low attack complexity, no user interaction and something that an attacker would be able to exploit with little to no special privileges.

The vulnerability has to do with improper authorization, which basically is a weakness that allows an attacker to gain access to privileged functionality and data in an application. In this case, an attacker who exploits the vulnerability would be able to delete data on a Confluence instance or block access to it. But they would not be able to exfiltrate data from it, according to an analysis by security intelligence firm Field Effect.

On Nov. 2, Atlassian updated its vulnerability alert from Oct. 31 with a warning about technical details of CVE-2023-22518 becoming publicly available. The information increases the risk of attackers exploiting the vulnerability, Atlassian said. "There are still no reports of an active exploit, though customers must take immediate action to protect their instances," the company said. The advice echoed Atlassian's recommendation when it first disclosed the bug earlier this week. The company has recommended that organizations which cannot immediately patch should remove their Confluence instances from the Internet until they can patch.

Large Number of Exposed Systems

ShadowServer described the increasing exploit activity as involving attempts to upload files and set up or to restore vulnerable Internet accessible Confluence instances.

"We see around 24K exposed (not necessarily vulnerable)," Atlassian Confluence instances ShadowServer said. A plurality of the exposed systems — some 5,500 — are located in the United States. Other countries with a relatively high number of exposed Atlassian Confluence systems include China with some 3,000 systems, German with 2,000, and Japan with around 1,400 exposed instances.

CVE-2023-22518 is the second major vulnerability that Atlassian has disclosed in its widely used Confluence Data Center and Confluence Server collaboration technologies over the past month. On October 4, the company disclosed CVE-2023-22515, a maximum severity, broken access control bug. Atlassian only discovered the bug after some customers with public facing Confluence Data Center and Server instances reported encountering problems with it. Atlassian later identified the attacker as a nation-state actor.

As with the new bug, CVE-2023-22515 also involved low attack complexity. Worries of the ease with which it could be exploited prompted a joint advisory from the US Cybersecurity and Infrastructure Agency, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The advisory warned organizations to be prepared for widespread exploit activity and urged them to patch the flaw as soon as possible.