Confluence Data Center and Server on-prem products perfectly pwned—so patch.

Atlassian Confluence is being exploited by ransomware scrotes. The near-20-year-old enterprise wiki app has yet another critical security hole—and this time it’s CVSS=10.

All versions are vulnerable. In today’s SB Blogwatch, we’re choosing between patching and replacing.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: BAYC NFT UVC FAIL.

Step #1: Get it off the Internet

What’s the craic? Sergiu Gatlan reports—“Critical Atlassian Confluence bug exploited in Cerber ransomware attacks”:

“Take immediate action”
Described by Atlassian as an improper authorization vulnerability and tracked as CVE-2023-22518, this bug received a 9.1/10 severity rating, and it affects all versions of Confluence. … Atlassian released security updates last Tuesday, warning admins to patch all vulnerable instances immediately since the flaw could also be exploited to wipe data.
…
Atlassian updated their advisory: … ”We received a customer report of an active exploit. Customers must take immediate action.” … Cerber ransomware (aka CerberImposter) was also deployed in attacks targeting Atlassian Confluence servers two years ago.

9.1? Not so fast. Becky Bracken breaks bad news—“Atlassian Bug Escalated to 10”:

The CVSS score of the related vulnerability [increased] from its original 9.1 to 10, the most critical rating on the scale. … Atlassian said it can’t confirm which customer instances have been impacted by the active attacks.

It’s not just one set of scrotes. Here’s our own Jeffrey Burt—“Hackers Exploit Atlassian Flaw”:

“Organizations should upgrade”
Multiple threat actors are descending on on-premises Atlassian Confluence software. … Threat intelligence researchers from cybersecurity firms Rapid7 and GreyNoise [said] they tracked attackers targeting enterprises running Atlassian’s Confluence … with a number of threats, including Cerber ransomware.
…
Atlassian noted that the fixed versions of Confluence Data Center and Confluence Server are 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1. Organizations should upgrade to one of the patched systems.
…
Evidence of a compromise includes:
• not being able to log into the instance,
• installed unknown plugins,
• encrypted files or corrupted data, …
• unexpected members of the confluence-administrators group …
• newly created user accounts that were not expected …
• requests to “/json/setup-restore*” in network access logs.

Still, Atlassian did notify customers about the CVSS upgrade—right? Right? u/Weirdy19 hates to burst your bubble:

Some days ago, Atlassian wrote in their advisory CVE-2023-22518 that “only” the remote deletion of data is possible. … Now they rewrote the complete post [saying] nearly everything is possible (from malware, unexpected accounts, [etc.]) with … a CVSS of 10.
…
The best thing about it: I am opted in into security related emails, but they didn’t manage to send me one. Their email reminder simply does not work.
…
What. The. Heck. Is. This. ****?

With appalling timing, Paul Smith talks to this guy—“Scott Farquhar’s 100-year plan for Atlassian”:

“Laid off 500 staff this year”
Atlassian’s co-founder and co-chief executive … said he remained as excited to run the company today as in its early years, and that it would remain on the front foot in investing for growth. … The comments were made before investors sold off Atlassian shares markedly at the end of last week, after it announced growing losses and plans to endure for more than 100 years.
…
Analysts on its earnings call on Friday were most concerned about how the company is managing the transition of customers to its cloud-based products, and whether it was struggling with organic customer growth. … Atlassian laid off 500 staff this year, and removed a layer of engineering managers in a reshuffle aimed at redeploying senior staff to more productive frontline jobs.

But why haven’t people updated yet? Frodo Douchebaggins hits us with this clue by four:

Atlassian exploits in the news? Must be a day that ends in “y”.
…
Atlassian employees: If your **** wasn’t such a pain in the *** to upgrade … you’d probably see people upgrade faster. But having to diff a bunch of **** manually in legacy installation contexts … makes it really goddamned annoying.

In a similar vein, qwertox emits this “+++ WARNING +++”:

You need to be very careful about how much you upgrade. Jira, yes, you can upgrade that to the latest version.
…
I did the same with Bitbucket and after the upgrade it told me that I have a server license but need a datacenter license for this latest version, which is 8.15. You can only upgrade up to 8.14.
…
So I checked the upgrade matrix for Confluence to make sure that I won’t have the same issues … but these huge, tremendous idiots at Atlassian don’t mention a single word about 8.5 being the last version to support server licenses, all above that requires datacenter licenses.

Also, FlamingDeath predicts other software supply chain issues:

I notice that there is a lot of JavaScript being pulled from 3rd party domains [that] I suspect Atlassian doesn’t control.

Meanwhile, what’s an IT puke to do? PsychoArs—qu’est ce cais? [You’re fa-fa fa-fa faa-fired—Ed.]

We gave up. … We’re moving to Hudu. Our on-prem Confluence isn’t internet-facing anymore, because ***** you, I’d rather spend the time migrating data to Hudu than patching again.

And Finally:

Hong Kong NFT con eyes gone

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Adrian Curiel (via Unsplash; leveled and cropped)