The BSI – Federal Office for Information Security – warns of a critical CVSS 10.0 vulnerability in Atlassian Confluence Data Center and servers. Companies should apply security patches immediately, otherwise attackers could create administrator accounts.
Atlassian itself had issued an advisory about the critical vulnerability with CVSS value 10.0 (CVE-2023-22515), but the BSI has now also issued a warning about a 10.0 vulnerability. Companies should urgently patch Confluence Data Center and servers because the gap should make it possible to create admin accounts. It is not entirely clear whether and to what extent the security gap has already been exploited. According to the manufacturer Atlassian, the vulnerability may have already been actively exploited by some customers.
Be sure to check the version number
The affected versions above 8 are not all affected. Therefore, admins should check the version number first. According to the BSI, these versions are affected: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.2.0, 8.2.1 , 8.2.2, 8.2.3, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.5.0, 8.5.1. The following versions of Confluence Data Center and Confluence Server fix the vulnerability (CVE-2023-22515): 8.3.3 or higher, • 8.4.3 or higher, 8.5.2 or higher.
Important to know: Versions below patch level 8.0.0 are not affected by this vulnerability, nor are instances hosted on Atlassian Cloud (recognizable by atlassian.net in the domain).
Quick update needed
Atlassian already has a suitable update available for the affected 8.x versions. Companies should urgently follow the update recommendation as the vulnerability has a maximum CVSS score of 10.0. The BSI recommends: If it is not possible to update to one of the listed versions, the following mitigation measures should be taken:
- In the meantime, restrict external network access to the instance
- Additionally, block access to Confluence's /setup/* endpoints that are used to exploit the
vulnerability are necessary. The BSI provides instructions on this in its information PDF.
About the Federal Office for Information Security (BSI) The Federal Office for Information Security (BSI) is the federal cyber security authority and the creator of secure digitization in Germany. The guiding principle: As the federal cyber security authority, the BSI designs information security in digitization through prevention, detection and reaction for the state, economy and society.