CVE-2023-22518 Critical vulnerability in Atlassian Confluence and Ambientia's response to it
Incident
Report for Ambientia
Resolved
Atlassian Confluence installations under Ambientia's management have been patched. We continue to closely monitor the situation and are prepared to act on it if the situation changes, e.g. if new forms of exploits to this vulnerability come up.
Update
All publicly accessible Confluence installations under Ambientia's management have been closed off from the internet. Confluence upgrade installation work is still ongoing and will continue during the evening. We estimate that all Ambientia managed Confluence installations have been upgraded to a fixed Confluence version during Wednesday 1st of November 2023 at the latest.
We will be in touch with our customers during Wednesday (2023-11-01) to confirm the completion of the upgrade process.
We will lift the access restrictions once the upgrade process has been completed. If you need access to your Confluence installation before we can complete the upgrade process and lift the traffic restrictions, please raise a request to our Service Desk so that we can arrange e.g. IP address based allowlisting.
We will be in touch with our customers during Wednesday (2023-11-01) to confirm the completion of the upgrade process.
We will lift the access restrictions once the upgrade process has been completed. If you need access to your Confluence installation before we can complete the upgrade process and lift the traffic restrictions, please raise a request to our Service Desk so that we can arrange e.g. IP address based allowlisting.
Identified
On 31th of October 2023, Ambientia has been made aware of a critical security vulnerability concerning Atlassian Confluence. The vulnerability impacts all versions of Atlassian Confluence. Using this vulnerability, an unauthenticated attacker is able to cause significant data loss. The exact mechanism how this happens is not publicly disclosed at this time.
There is a fix for this vulnerability, which requires an upgrade to a fixed version of Confluence. Planning the Confluence upgrades is already under way for Ambientia's customers. In the meantime (i.e. until the upgrade has been completed for a given instance), we are going to restrict access to all publicly available Confluence instances under Ambientia's management. This will happen as soon as possible, starting at 2023-10-31 10:00 EET. We will update our Statuspage once the restrictions have been completed on all instances.
Please note that this affects only Data Center and Server versions of Confluence. Customers using Atlassian Cloud are not affected.
You can read Atlassian's official security advisory here
There is a fix for this vulnerability, which requires an upgrade to a fixed version of Confluence. Planning the Confluence upgrades is already under way for Ambientia's customers. In the meantime (i.e. until the upgrade has been completed for a given instance), we are going to restrict access to all publicly available Confluence instances under Ambientia's management. This will happen as soon as possible, starting at 2023-10-31 10:00 EET. We will update our Statuspage once the restrictions have been completed on all instances.
Please note that this affects only Data Center and Server versions of Confluence. Customers using Atlassian Cloud are not affected.
You can read Atlassian's official security advisory here