Australian software company Atlassian warned admins to immediately patch Internet-exposed Confluence instances against a critical security flaw that could lead to data loss following successful exploitation.
Described as an improper authorization vulnerability affecting all versions of Confluence Data Center and Confluence Server software, the bug is tracked as CVE-2023-22518 and puts publicly accessible instances at critical risk.
While threat actors could use the flaw to destroy data on affected servers, the bug doesn’t impact confidentiality as it can’t be exploited to exfiltrate instance data. Atlassian Cloud sites accessed via an atlassian.net domain are also unaffected by this vulnerability.
“As part of our continuous security assessment processes, we have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker,” said Bala Sathiamurthy, Atlassian’s Chief Information Security Officer (CISO).
“There are no reports of active exploitation at this time; however, customers must take immediate action to protect their instances.”
The company fixed the critical CVE-2023-22518 vulnerability in Confluence Data Center and Server versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1.
Atlassian warned admins to upgrade to a fixed version immediately and, if that isn’t possible, to apply mitigation measures, including backing up unpatched instances and blocking Internet access until they’re upgraded.
“Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch,” the company said.
Earlier this month, CISA, FBI, and MS-ISAC warned network admins to immediately patch Atlassian Confluence servers against an actively exploited privilege escalation flaw tracked as CVE-2023-22515.
“Due to the ease of exploitation, CISA, FBI, and MS-ISAC expect to see widespread exploitation of unpatched Confluence instances in government and private networks,” the joint advisory warned.
Microsoft revealed that the Chinese-backed Storm-0062 (aka DarkShadow or Oro0lxy) threat group had exploited the flaw as a zero-day since at least September 14, 2023.
Patching vulnerable Confluence servers as soon as possible is of utmost importance, seeing that they were previously targeted in widespread attacks pushing Linux botnet malware, crypto miners, and AvosLocker and Cerber2021 ransomware.