Critical Zero-Day Atlassian Bug: What CISOs Must Know

On Oct. 4, software company Atlassian disclosed a critical zero-day vulnerability (CVE-2023-22515) impacting the Confluence Data Center and Server products. The critical privilege-escalation vulnerability has been exploited in the wild, giving attackers the ability to create administrator accounts and access Confluence instances.

The company released a critical security advisory urging impacted users to upgrade their instances and to conduct thorough threat detection. What should CISOs and other IT leaders think about following the disclosure of this vulnerability?

The Vulnerability

CVE-2023-22515 impacts 21 versions of the Confluence Data Center and Confluence Server products, beginning with 8.0.0 and ending with 8.5.1, according to the security advisory. The bug affects on-premises instances; it does not affect Atlassian’s cloud sites.

Atlassian gave the vulnerability a Critical CVSS 10 rating. “This signifies that malicious actors can exploit the vulnerability with relative ease, potentially causing substantial harm,” Or Aspir, head of research at cloud and SaaS incident response company Mitiga, tells InformationWeek via email. “In the specific context of this vulnerability, attackers who gain network access to Atlassian products can swiftly elevate their privileges to an administrative level.”

Related:4 of the Biggest Vulnerabilities Talked About During Black Hat 2023

Administrative privileges can enable bad actors to execute various malicious activities, including data exfiltration and system compromise.

The Investigation

A few customers first alerted Atlassian to the possibility of the previously unknown vulnerability being exploited, according to the security advisory.

“Our priority is the security of our customers' instances, and we are collaborating with industry-leading threat intelligence partners, such as Microsoft, to obtain additional information that may assist customers with responding to the vulnerability,” an Atlassian spokesperson shares in an emailed statement.

Microsoft Threat Intelligence identified a nation state threat actor (Storm-0062) exploiting this vulnerability in the wild since Sept. 14, according to an update on X (formerly Twitter). Microsoft noted that this threat actor is also tracked as DarkShadow and Oro0lxy. Storm-0062 is a name for Chinese state hackers who have a history of state-sponsored hacking activity.

Atlassian notes in its security advisory that it is continuing to work with its partners and customers to investigate.

The Remediation

Customers who have Confluence Data Center and Server instances exposed to the public internet are urged to upgrade to a fixed version, per Atlassian’s security advisory. But completing the upgrade does not completely address this vulnerability. The upgrade will not remove the compromise if instances have already been affected.

Related:Critical Zero-Day Bug in Atlassian Confluence Under Active Exploit

Customers potentially impacted by this vulnerability are also advised to conduct threat detection to confirm if any instances have been compromised.

“If I'm in an Atlassian environment, I've patched my server because I potentially am affected. The next thing I'm going to do is I'm going to review my logs to see [if there have] been any administrator users that have either been created or maybe promoted from a regular end user within that environment to that administrative level,” says Ben Smith, field CTO of cybersecurity company NetWitness.

Atlassian outlines specific indicators of compromise (IOCs). “Particular areas of interest include: suspicious members in the ‘confluence-administrators’ group, newly created user accounts, network access logs with ‘/setup/*.action’ requests and error logs including ‘/setup/setupadministrator.action.’ These steps will help security teams identify and respond to any potential compromises effectively,” Aspir explains.

If a customer discovered compromised instances, Atlassian recommends they work with their security team to determine the scope of the breach and identify recovery methods. Atlassian Support will work with the customer to recover and protect the instances.

Related:Is Your Organization Vulnerable to Shadow AI?

The Important Takeaways

Collaboration tools are an essential part of doing business for many enterprises. This zero-day bug reminds all CISOs and IT leaders, whether their companies use Confluence or not, that these tools are an important part of risk management. “Collaboration solutions tend to be very attractive targets for adversaries today,” says Smith.

More zero-day vulnerabilities, discovered in collaboration tools and other products, will continue to require patching and remediation. The Zero-Day.cz tracking project found a total of 52 zero-day vulnerabilities in 2022. In 2023, that number is up to 78.

Safi Raza, director of cybersecurity at Fusion Risk Management, a risk management software company, emphasizes the importance of evaluating enterprise patching programs. “The problem is many organizations are very slow to react,” he says. “A CISO needs to understand the severity of these alerts…when they do get announced, and [when] the patches become available, you must patch as soon as possible.”

Maintaining an accurate and well-structured asset inventory can help organizations to quickly identify what products and versions are in use in the event of an announced vulnerability, according to Aspir. “This inventory is pivotal in the early detection of products susceptible to known exploits,” he says.

Network visibility is also crucial when thinking about vulnerabilities like this one. “It's that network visibility that shows you unusual, unexpected, maybe malicious behaviors,” says Smith.

With more zero-day vulnerabilities inevitably coming to light in the future, Raza recommends that organizations make them a part of their regular tabletop exercises. While security teams cannot predict exactly what the next zero-day bug will be, they can run through various scenarios to improve their response. How will an organization respond when a novel vulnerability comes to light? How will it test and apply the resultant patch? “What action [will] your organization have to take to … contain the breach or the vulnerability?” Raza asks.

Mass exploitation of this vulnerability is possible. “The vendor was the one that had the bug. The vendor has resolved the bug, but what we're all concerned about here in the industry is what's the impact to those downstream customers,” says Smith.