SOC235 — Atlassian Confluence Broken Access Control 0-Day CVE-2023–22515 (LetsDefend)
Originally published on Medium: https://medium.com/@brandonlove2150/soc235-atlassian-confluence-broken-access-control-0-day-cve-2023-22515-letsdefend-c97356cd353b?source=rss-024d132ba4b7——2
SOC235 — Atlassian Confluence Broken Access Control 0-Day CVE-2023–22515 (LetsDefend) Today, I took on another alert from LetsDefend.
SOC235 — Atlassian Confluence Broken Access Control 0-Day CVE-2023–22515 (LetsDefend)
Today, I took on another alert from LetsDefend. This alert was based on the Atlassian Confluence Broken Access Control vulnerability. The alert provided enough details for us to investigate this issue and analyze the generated logs.
Alert
Walkthrough
Start of Playbook
Starting this playbook, LetsDefend provides some direction to complete this alert. These are great tips for obtaining the necessary answers to complete this playbook.
Jumping into the Log Management system, we can gather all the information needed for this alert. Doing a quick search with the suspicious IP address 43.130.1.222. When we go to the suspected time of the alert, we can see three logs that align with this alert.
Source IP address Logs
Looking at these logs, we can see that the IP address requested the URL /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false. At 09:47 a.m., we can see that a new administrator action was requested, and at 09:48 a.m., a finishsetup action was completed successfully with a response code of 200.
With this information, we need to compare it to the Destination Logs to ensure that it was captured on the endpoint as well, confirming that the task was completed successfully.
Host IP address
Examining the Host logs, we can confirm that the attacker successfully gained access and created a new user. We did find more helpful information in the data stream. Let’s break this data script down to understand what is going on.
Breakdown of Script
[09/Nov/2023:09:47:36 -0000] — http-nio-8090-exec-7 43.130.1.222 GET /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false HTTP/1.1 200 18ms 27464 — curl/7.88.1
Explanation:
- [09/Nov/2023:09:47:36 -0000] → Timestamp in GMT (UTC+0).
- http-nio-8090-exec-7 → The Java thread handling the request (Confluence thread pool).
- 43.130.1.222 → Source IP address (the client making the request).
- GET → HTTP method used (retrieves information).
- /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false → Requested endpoint, possibly probing setup status of the server.
- HTTP/1.1 → Protocol version.
- 200 → Status code = OK (successful response).
- 18ms → Response time (took 18 milliseconds).
- 27464 → Response size in bytes.
- curl/7.88.1 → User-Agent (automated tool “curl” was used — often for scripted access or reconnaissance).
- The IP 43.130.1.222 queried the /server-info.action endpoint — often seen in vulnerability scanning or recon attempts against Atlassian Confluence (this path relates to setup or diagnostic pages).
Explanation:
- [09/Nov/2023:09:47:54 -0000] — http-nio-8090-exec-1 43.130.1.222 POST /setup/setupadministrator.action HTTP/1.1 302 1143ms — — curl/7.88.1
- Explanation:
- POST /setup/setupadministrator.action → Attempt to send data to the setup page (possibly creating or configuring an admin user).
- 302 → Redirect response (server redirected the request elsewhere).
- 1143ms → Response took 1.143 seconds.
- User-Agent: curl/7.88.1 again → Automated script.
Explanation:
- POST /setup/finishsetup.action → Attempt to finalize setup.
- 200 → Success.
- 90ms → Response time.
- curl/7.88.1 → Same automated script.
This indicates the attacker may have completed the setup process, finalizing configuration remotely — a known exploitation chain for some Atlassian Confluence setup vulnerabilities (like CVE-2021–26084 or CVE-2023-22518).
CVE-2023–22515 Detail
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
VirusTotal
Examining the internal Threat Intel page and VirusTotal, we can confirm that this IP address is flagged as malicious.
We now have all the necessary information to complete this playbook.
Playbook
We know that this is a malicious IP address. This attack type is considered other. The direction of traffic was from the Internet to the Company Network, and the Attack was Successful.
Playbook 2
This attack was successful and does need Tier 2 escalation.
Analysis Notes
On November 9, 2023, an alert was issued at 9:47 a.m. for Atlassian Confluence Broken Access Control 0-Day CVE–2023–22515. This was triggered because this activity may be indicative of an attempt to exploit the CVE-2023–22515 vulnerability, which could potentially lead to creating a new administrator user and allowing the action.
The source IP address was 43.130.1.222. Reviewing the logs, it was able to create a new administrator user at 09:47 am and then finished successfully at 09:48 am. We know this because of the successful response code.
Looking up the Source IP address on the built-in threat intelligence page, the IP address is indeed flagged as malicious; however, cross-checking it on VirusTotal confirms that it is actually malicious.
This alert needs Tier 2 escalation.
I recommend containing this endpoint that was targeted, applying mitigations per vendor instructions, or discontinue use of the product if mitigations are unavailable. Delete the newly created account, update the passwords, and continue to monitor this endpoint for any further suspicious behavior.
Summary
This LetsDefend SOC235 alert investigated a suspected exploitation of the Atlassian Confluence Broken Access Control 0-Day (CVE-2023–22515). Analysis of web and host logs revealed that the attacker’s IP address, 43.130.1.222, executed a sequence of automated curl-based HTTP requests — first probing the /server-info endpoint.action endpoint, then posting to /setup/setupadministrator.action, and finally finalizing setup via /setup/finishsetup.action. Each step received valid HTTP responses, including a 200 OK code confirming success. Host logs verified the unauthorized creation of a new administrator account, establishing a successful exploitation of the vulnerability. Threat-intelligence correlation (LetsDefend TI and VirusTotal) classified the source IP as malicious. The incident was categorized as an external, successful intrusion and escalated to Tier 2. Recommended response actions include isolating the affected Confluence instance, removing unauthorized accounts, applying Atlassian-issued patches, rotating credentials, and maintaining continuous monitoring for any follow-up activity.