Atlassian has told customers they “must return contiguous action” to reside a recently discovered flaw successful its Confluence collaboration tool.
An advisory issued connected October 31st warns of CVE-2023-22518, described arsenic an “improper authorization vulnerability successful Confluence Data Center and Server”, nan on-prem versions of Atlassian’s products.
All versions of Confluence are susceptible to nan bug, which Atlassian rates astatine 9.1/10 severity connected nan ten-point Common Vulnerability Scoring System.
The Australian vendor hasn’t elaborate nan quality of nan flaw aliases really it tin facilitate information loss. The institution has said it’s not seen immoderate exploits. Perhaps explaining nan flaw would extremity disconnected attackers.
The hole is simple: upgrade instantly to type of Confluence that person patched nan mysterious flaw. Confluence versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, 8.6.1, aliases immoderate type later than those releases, will do nan job.
Before you upgrade, Atlassian suggests disconnecting Confluence instances from nan nationalist internet. If that’s not doable, nan vendor advises restricting outer web entree until patches are applied.
Users of SaaS-y Confluence successful Atlassian’s unreality person thing to interest about.
- Atlassian users kick of unreality migration dormant ends, particularly successful UK
- Atlassian buys 'asynchronous video' outfit Loom for almost $1 billion
- Red Hat bins Bugzilla for RHEL rumor tracking, jumps connected Jira
- IT networks nether onslaught via captious Confluence zero-day. Patch now
The flaw is nan 2nd urgent Confluence bug to person emerged successful October. CVE-2023-22515, announced connected October 4th, allowed miscreants to create and maltreatment Confluence admin accounts.
Attackers jumped astatine nan chance to utilization nan flaw, starring US authorities to urge accelerated patching.
The institution besides reported a critical flaw successful its BitBucket product successful August 2022.
Another facet to see is that support for nan Server type of Confluence will extremity connected February 14th, 2024.
When The Register considered that deadline, Atlassian explained it considers itself a cloud-first institution and explained that it prioritises nan SaaS type of its products. Readers responded pinch concerns astir nan costs of migrating to either Atlassian’s Data Center and fears it will person little attraction than nan Atlassian cloud.
Two captious flaws successful a period surely propose self-hosted Confluence is simply a high-maintenance option, and that nan A-Cloud is simply a much comfortable proposition. Atlassian agrees pinch that position, but besides kept its Data Center products live retired of nickname that not each customer is comfortable successful nan cloud.
And coming they’re not comfortable extracurricular it, either. ®