Security alert for Atlassian: the escalation of a critical risk

Following a series of ransomware attacks targeting outdated Atlassian Confluence Data Center and Server configurations, there has been an increase in the risk assessment associated with the known vulnerability. Originally estimated with a Common Vulnerability Scoring System (CVSS) score of 9.1, this value was then increased to the maximum possible of 10. Atlassian Confluence Cloud instances remain unaffected by this issue at this time.

Vulnerability details and severity

The security incident, tracked under the identifier CVE-2023-22518, was exacerbated by an expansion in the attack method, as reported in Atlassian's recent statement. The research organization Rapid7 also released a report signaling a resurgence of attacks, which began last weekend. Atlassian business software is widely used for software development and cooperation.

Implications of the security flaw

The vulnerability in question would allow an unauthenticated attacker to reset the Confluence instance and create an administrator account. Thanks to these credentials, the attacker would be able to perform all the administrative operations typical of an administrator of the Confluence instance. This would result in a complete breach of the confidentiality, integrity and availability of the systems involved.

Attack symptoms and safety recommendations

The extent of the impacts is currently not quantifiable by Atlassian, which however reports some indications of compromise: loss of access or login credentials, suspicious requests to the /json/setup-restore* addresses in the network logs, installation of incorrect plugins recognized - among which the "web.shell.Plugin" was reported - encrypted or corrupted data, unexpected additions to the Confluence administrators group and creation of new unauthorized user accounts.