Stop what you’re doing and patch this critical Confluence flaw, warns Atlassian

Atlassian has told customers they “must take immediate action” to address a newly discovered flaw in its Confluence collaboration tool.

An advisory issued on October 31st warns of CVE-2023-22518, described as an “improper authorization vulnerability in Confluence Data Center and Server”, the on-prem versions of Atlassian’s products.

All versions of Confluence are susceptible to the bug, which Atlassian rates at 9.1/10 severity on the ten-point Common Vulnerability Scoring System.

The Australian vendor hasn’t detailed the nature of the flaw or how it can facilitate data loss. The company has said it’s not seen any exploits. Perhaps explaining the flaw would tip off attackers.

The fix is simple: upgrade immediately to version of Confluence that have patched the mysterious flaw. Confluence versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, 8.6.1, or any version later than those releases, will do the job.

Before you upgrade, Atlassian suggests disconnecting Confluence instances from the public internet. If that’s not doable, the vendor advises restricting external network access until patches are applied.

Users of SaaS-y Confluence in Atlassian’s cloud have nothing to worry about.

• Atlassian users complain of cloud migration dead ends, especially in UK
• Atlassian buys 'asynchronous video' outfit Loom for almost $1 billion
• Red Hat bins Bugzilla for RHEL issue tracking, jumps on Jira
• IT networks under attack via critical Confluence zero-day. Patch now

The flaw is the second urgent Confluence bug to have emerged in October. CVE-2023-22515, announced on October 4th, allowed miscreants to create and abuse Confluence admin accounts.

Attackers jumped at the chance to exploit the flaw, leading US authorities to urge rapid patching.

The company also reported a critical flaw in its BitBucket product in August 2022.

Another factor to consider is that support for the Server version of Confluence will end on February 14th, 2024.

When The Register considered that deadline, Atlassian explained it considers itself a cloud-first company and explained that it prioritises the SaaS version of its products. Readers responded with concerns about the cost of migrating to either Atlassian’s Data Center and fears it will receive less attention than the Atlassian cloud.

Two critical flaws in a month certainly suggest self-hosted Confluence is a high-maintenance option, and that the A-Cloud is a more comfortable proposition. Atlassian agrees with that position, but also kept its Data Center products alive out of recognition that not every customer is comfortable in the cloud.

And today they’re not comfortable outside it, either. ®