Porównane wersje

Stara Wersja 2

changes.mady.by.user Chun Kang

Zapisano

porównane z

Nowa wersja 3

changes.mady.by.user Chun Kang

Zapisano

Klucz

  • Te wersy zostały dodane. Tosłowo zostało dodane.
  • Te wersy zostały usunięte. To słowo zostało usunięte.
  • Formatowanie zostało zmienione.

...

Atlassian rates the severity level of this vulnerability as Critical CVSS 10, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment, and you should evaluate its applicability to your own IT environment.


CVE-2023-22515 - Broken Access Control Vulnerability in Confluence Data Center and Server

...

ProductAffected Versions
Confluence Data Center and Confluence Server
  • 8.0.0
  • 8.0.1
  • 8.0.2
  • 8.0.3
  • 8.0.4
  • 8.1.0
  • 8.1.1
  • 8.1.3
  • 8.1.4
  • 8.2.0
  • 8.2.1
  • 8.2.2
  • 8.2.3
  • 8.3.0
  • 8.3.1
  • 8.3.2
  • 8.4.0
  • 8.4.1
  • 8.4.2
  • 8.5.0
  • 8.5.1


What You Need To Do

Immediately patch to a fixed version

Atlassian recommends that you patch each of your affected installations to one of the listed fixed versions (or any later version) below.

ProductFixed Versions
Confluence Data Center and Server
  • 7.19.16 or later
  • 8.3.4 or later
  • 8.4.4 or later
  • 8.5.3 or later
  • 8.6.1 or later

Apply temporary mitigations if unable to patch

  1. Back up your instance. (Instructions: https://confluence.atlassian.com/doc/production-backup-strategy-38797389.html)
  2. Remove your instance from the internet until you can patch, if possible. Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch.
  3. If you cannot restrict external network access or patch, apply the following interim measures to mitigate known attack vectors by blocking access on the following endpoints on Confluence instances:
    1. /json/setup-restore.action
    2. /json/setup-restore-local.action
    3. /json/setup-restore-progress.action

  4. This is possible at the network layer or by making the following changes to Confluence configuration files.
    On each node, modify /<confluence-install-dir>/confluence/WEB-INF/web.xml and add the following block of code (just before the </web-app> tag at the end of the file):
    Code Block
    <security-constraint>
		<web-resource-collection>
			<url-pattern>/json/setup-restore.action</url-pattern>
			<url-pattern>/json/setup-restore-local.action</url-pattern>
			<url-pattern>/json/setup-restore-progress.action</url-pattern>
			<http-method-omission>*</http-method-omission>
		</web-resource-collection>
	<auth-constraint />
</security-constraint>
  5. Restart Confluence.

    Note: These mitigation actions are limited and not a replacement for patching your instance; you must patch as soon as possible


For more information, please connect to https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html