Atlassian CISO warns that new vulnerability can cause ‘significant data loss’
The chief information security officer for Australian software giant Atlassian warned this week that a new vulnerability affecting their Confluence Data Center and Confluence Server products could lead to “significant data loss if exploited.”
The company released an advisory on Monday night for CVE-2023-22518 — which carries a “critical” severity score of 9.1 — and the company said all publicly accessible Confluence Data Center and Server versions “are at critical risk and require immediate attention.”
The advisory stood out because it came with an “important” note from Atlassian CISO Bala Sathiamurthy, who stressed the need for customers to address the issue immediately.
“As part of our continuous security assessment processes, we have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker,” Sathiamurthy said.
“There are no reports of active exploitation at this time; however, customers must take immediate action to protect their instances.”
The company has released a patch for the issue but said customers unable to apply patches should back up their instances and remove them from the internet until they can be patched.
“Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch,” they said.
Earlier this month, Atlassian warned of another vulnerability affecting the same products —- CVE-2023-22515
“Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances,” they said on October 4.
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.