CVE-2023-22515 is causing a lot of headaches at Atlassian. The company already had a patch available on October 4th for a vulnerability in its own Confluence software, but many end users have yet to implement it. It is forcing CISA, the FBI and MS-ISAC to set up a joint advisory.
Atlassian Confluence Data Center and Server received a patch for CVE-2023-22515 on October 4th. Evidently, that was not enough help for many users, as cybercriminals are still actively exploiting this vulnerability. One can gain access to a corporate network via Confluence, in part because it is possible to escalate privileges within the software.
Easy
Meanwhile, cybercriminals have become highly professionalized, so even hard-to-exploit cyber dangers should be taken seriously. However, here it would be possible to infiltrate organizations with a very simple method. Speaking to SiliconANGLE, Head of Product at Keeper Security Zane Bond explains that the simple methods of attack make quick patching crucial. “Additionally, employees need to be hyper-vigilant when it comes to indicators of compromise, including new or suspicious admin user accounts.”
Microsoft revealed that one of the organizations exploiting the vulnerability is known as Storm-0062. This group, allegedly aided by the Chinese state, is also noted for attacking parties active in medical research, defense and tech in the U.S., U.K., Australia and the EU, among others.
Not the first time, long failure to patch an ongoing problem
Confluence has caused similar problems before. Last year, CVE-2022-26138 allowed attackers to obtain a hard-coded password. At the time, U.S. government agencies were given three weeks to patch their own Confluence servers.
Yesterday, we highlighted a Sonatype survey that illustrates the larger problem of such vulnerabilities. Among open-source software, 39 percent of all organizations leave a vulnerable component unpatched for a week or more. The researchers attribute this in part to overburdening security personnel, who have an average of 150 dependencies to keep an eye on each year with a single piece of open-source software.