General Information

A critical severity authentication vulnerability was discovered in the Confluence Server and Data Center (CVE-2023-22518). 

This page contains answers to frequently asked questions about this vulnerability. The Atlassian Security Team will update this page whenever new information becomes available.

Is my Confluence instance affected?

All versions of Confluence Data Center and Server are affected by this vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to, a full loss of confidentiality, integrity and availability. 

Atlassian strongly recommends patching vulnerable installations to one of the listed fixed versions (or latest version) below:

 Confluence 8.6.0 is a Data Center only release and doesn't support Server licenses. If you upgrade to version 8.6 or later, please ensure you have a valid Data Center license.

Are Cloud instances affected?

Atlassian Cloud sites are not impacted by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and not vulnerable to this issue.

My instance is NOT connected to the internet, what should I do? Am I safe?

We still strongly recommend applying the latest patch, as listed on the Confluence Security Advisory page for CVE-2023-22518.

If the Confluence instance cannot be accessed from the internet the risk of an exploit is reduced.

Does patching to a fixed version completely solve the issue?

While the latest patch remediates the vulnerability CVE (2023-22518), we are unable to confirm if there is a persistent threat. 

We recommend engaging with your local security team to investigate if your instance was compromised prior to patching. To assist with this investigation please refer to the Threat Detection section within the advisory to check for potential indicators of compromise.

I am running an affected version of Confluence. How can I mitigate the threat until I patch it?

For customers who are unable to immediately patch their Confluence Data Center and Server instances, we recommend the following steps to reduce the risk:
1. Take your system off the internet immediately
2. Back up the data of the instance to a secure location outside of the Confluence instance.

For guidance on backing up Confluence, please refer to the following pages:

• Back up a Site | Confluence Data Center and Server 8.6 | Atlassian Documentation

• Production Backup Strategy | Confluence Data Center and Server 8.6 | Atlassian Documentation

3. Engage your local security team to review for any potential malicious activity. Review the Threat Detection section of the advisory for potential indicators of compromise.

4. Apply the following interim measures to mitigate known attack vectors by blocking access to the following endpoints on Confluence instances:

• /json/setup-restore.action

• /json/setup-restore-local.action

• /json/setup-restore-progress.action

This is possible at the network layer or by making the following changes to Confluence configuration files.

On each node, modify /<confluence-install-dir>/confluence/WEB-INF/web.xml and add the following block of code (just before the </web-app> tag at the end of the file):

<security-constraint>
        <web-resource-collection>
            <url-pattern>/json/setup-restore.action</url-pattern>
            <url-pattern>/json/setup-restore-local.action</url-pattern>
            <url-pattern>/json/setup-restore-progress.action</url-pattern>
            <http-method-omission>*</http-method-omission>
        </web-resource-collection>
    <auth-constraint />
</security-constraint>

Then, restart Confluence. Please engage your local security team prior to connecting your Confluence instance to the internet.

Note: These mitigation actions are limited and not a replacement for patching your instance; you must patch as soon as possible

Are other Atlassian products affected by this vulnerability?

No, they are not affected by CVE-2023-22518. No action is required for other products.

How do I know if I have been impacted?

This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to a full loss of confidentiality, integrity and availability. 

We are unable to confirm whether an instance has already been compromised, so we strongly recommend engaging your local security team.

Please refer to the Threat Detection section of the advisory for potential indicators of compromise.

My instance has been compromised, what should I do?

We strongly recommend engaging your local security team for further investigation.

Since the compromise consists of resetting the instance’s content, restoring from a previous backup is the only way of recovering your data.

Please then refer to the guidelines in the below section What do I need to do to restore my Confluence instance? for recommended steps to be undertaken as part of restoring your instance.

What do I need to do to restore my Confluence instance?

The following is guidance for the steps that we recommend to be undertaken to restore your Confluence instance:

• Shut down the instance and disconnect the server from the internet.

• Engage your local security team to review any post-exploit malicious activity. Review the advisory Threat Detection section for potential indicators of compromise.

• To recover Confluence, we strongly recommend reinstalling the operating system, restoring your Confluence data from a backup that was taken prior to the instance being compromised, and then applying the latest patch to your Confluence instance.

  • Refer to the Restoring a Site documentation page for instructions on how to recover your backup.

For further information on the vulnerability and fixed versions please refer to the advisory.

If I restore Confluence from backup, am I still at risk?

Please then engage with your local security team to investigate the impact on your instance and understand the steps required to restore the Confluence instance.

We strongly recommend restoring a backup of the instance from a secure location outside of the Confluence instances. This is due to the risk of persistence from malicious plugins.

Please then refer to the guidelines in the above section “What do I need to do to restore my Confluence instance?” for recommended steps to be undertaken as part of restoring your instance.

What should I look for in my Confluence logs?

Please work with your local security team for further investigation.

The following is guidance for the steps that we recommend to be undertaken to review the logs for each Confluence instance:

1. On the endpoint json/setup-restore.action

• Navigate to Log file location: <confluence-install-dir>/logs/conf_access_log.<DATE>.log and look for the following log entries

  • Search for requests to /json/setup-restore.action

  • Search for requests to /json/setup-restore-progress.action

• Suggested command: grep "/json/setup-restore*" <confluence-install-dir>/logs/conf_access_log*

[02/Nov/2023:19:40:01 +0530] - http-nio-8090-exec-1 127.0.0.1 POST /json/setup-restore.action HTTP/1.1 403 46ms 1198 http://YOURSERVERHOST/login.action?os_destination=%2Findex.action&permissionViolation=true Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
[02/Nov/2023:19:40:08 +0530] - http-nio-8090-exec-4 127.0.0.1 POST /json/setup-restore.action?synchronous=false HTTP/1.1 302 78ms - http://YOURSERVERHOST/json/setup-restore.action Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
[02/Nov/2023:19:40:09 +0530] - http-nio-8090-exec-3 127.0.0.1 GET /json/setup-restore-progress.action?taskId=5a7af4cd-698d-4e3d-8bd4-a411c779d519 HTTP/1.1 200 24ms 277 http://YOURSERVERHOST/json/setup-restore.action Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36

• Navigate to Log file location: <confluence-home-dir>/logs/atlassian-confluence.log and look for the following log entries

  • Search for requests to /json/setup-restore.action

• Suggested command: grep "/json/setup-restore*" <confluence-home-dir>/logs/atlassian-confluence.log*

2023-11-02 19:40:08,993 ERROR [http-nio-8090-exec-4 url: /json/setup-restore.action] [atlassian.confluence.setup.DefaultSetupPersister] progessSetupStep setupStack is empty of actions.
 -- url: /json/setup-restore.action | userName: anonymous | action: setup-restore | referer: http://YOURSERVERHOST/json/setup-restore.action | traceId: ba2d44ef8528c78d
…
2023-11-02 19:41:04,263 INFO [Long running task: Importing data] [confluence.importexport.actions.ImportLongRunningTask] runInternal Beginning import by user null

2. On the endpoint json/setup-restore-local.action

• Navigate to Log file location: <confluence-install-dir>/logs/conf_access_log.<DATE>.log and look for the following log entries

  • Search for requests to /json/setup-restore-local.action

• Suggested command: grep "/json/setup-restore*" <confluence-install-dir>/logs/conf_access_log*

[02/Nov/2023:19:54:47 +0530] - http-nio-8090-exec-2 127.0.0.1 POST /json/setup-restore-local.action HTTP/1.1 200 41ms 1163 http://YOURSERVERHOST/json/setup-restore-local.action Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
…
[02/Nov/2023:19:54:53 +0530] - http-nio-8090-exec-1 127.0.0.1 POST /json/setup-restore-local.action HTTP/1.1 200 29ms 1495 http://YOURSERVERHOST/json/setup-restore-local.action Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36

• Navigate to Log file location: <confluence-home-dir>/logs/atlassian-confluence.log and look for the following log entries

  • Search for requests to /json/setup-restore-local.action

• Suggested command: grep "/json/setup-restore*" <confluence-home-dir>/logs/atlassian-confluence.log*

2023-11-02 19:54:53,663 ERROR [http-nio-8090-exec-1 url: /json/setup-restore-local.action] [atlassian.confluence.setup.DefaultSetupPersister] progessSetupStep The setupStack is empty; the last action should always be 'complete', which will prohibit further setupStack activity! Odds are it wasn't in this case.
 -- url: /json/setup-restore-local.action | userName: anonymous | action: setup-restore-local | referer: http://YOURSERVERHOST/json/setup-restore-local.action | traceId: bde618e401be41a0
…
2023-11-02 19:41:04,263 INFO [Long running task: Importing data] [confluence.importexport.actions.ImportLongRunningTask] runInternal Beginning import by user null

Please refer to the Threat Detection section of the advisory for further information. 

How can I review my Confluence instance for malicious plugins?

We strongly recommend involving your local security team for further investigation.

Before doing anything, we strongly recommend you shut down the instance and disconnect the server from the internet.

We strongly recommend undertaking a review of your malicious plugins. 

1. Review the following potential directories listed below:  

• <confluence-home-directory>/bundled-plugins

• <confluence-home-directory>/plugins-cache

• <confluence-home-directory>/plugins-osgi-cache

• <confluence-home-directory>/plugins-temp

• <confluence-home-directory>/logs

• <confluence-home-directory>/temp

Please note due to the nature of the compromise, we are unable to provide a complete list.

2. In the Confluence Database, run the following SQL queries:

select PLUGINDATAID, PLUGINKEY, FILENAME, LASTMODDATE from PLUGINDATA order by LASTMODDATE ASC;
select BANDANAVALUE from BANDANA where BANDANAKEY = 'plugin.manager.state.Map';

3. Review PLUGINDATA database table and plugincache directory contents listed above with an earlier backup taken, to identify any potential suspicious plugins

4. Additionally, you may also review any recent app installations using Confluence’s Audit Log feature

Please note that these locations and steps are to be used as a guideline to assist in identifying whether you have a suspicious plugin, for your local security teams to further investigate a possible compromise.

What if I don’t have a local security team?

We recommend engaging a specialist security firm for further investigation.