Search
Appgate SDP

Appgate SDP Overview

Learn how the industry’s most comprehensive universal ZTNA solution strengthens security and transforms your network with the flexibility, extensibility and integration advantages of direct-routed architecture.

How Appgate SDP Works

Find out about the inner-workings of the most flexible and adaptable Zero Trust Network Access solution available today.

Zero Trust Platform
Integrations and Tech Partners
Appgate SDP for Developers
Use Cases for Securing:
Remote Access Hybrid Enterprise Cloud Access
Risk-Based Authentication
Overview
Learn how Risk-Based Authentication provides a frictionless, intelligent and data-informed approach to user authentication.
Strong Authentication
Find out how you can provide secure, frictionless access with the right multi-factor authentication method.
Transaction Monitoring
Explore the tools you can use to intelligently identify and prevent online fraud.
Behavioral Biometrics Service
Learn how behavioral analysis and machine learning stop fraudulent online web activity in real-time.
Secure Consumer Access for:
Consumer Protection Fraud Protection Phishing Protection Mobile Protection
Digital Threat Protection
Overview
Discover how you can gain unparalleled threat visibility and the risk management tools that enable early identification and elimination of potential attacks.
Key Features
Take a deep dive into the features and tools contained within our industry-leading Digital Threat Protection (DTP) solution.
SECURE NETWORK ACCESS

Arlette HartOctober 25, 2023

Threat Advisory Bulletin: Zero-Day Exploit of Atlassian Confluence CVE-2023-22515

In a recent joint advisory, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a critical warning for active exploitation of CVE-2023-22515 targeting specific versions of the Atlassian Confluence Data Center and Server. Threat actors wasted no time in using CVE-2023-22515 as a zero-day exploit to infiltrate victim systems. Exploitation continues even after Atlassian’s patch release ... underscoring the severity and simplicity of leveraging this vulnerability.

According to our Threat Advisory Services team, the vulnerability provides malicious actors with a pathway to gain unauthorized access to Confluence instances by creating rogue administrator accounts. More specifically, malicious actors can change the Atlassian Confluence server’s configuration to indicate the setup is not complete and use the /setupsetupadministrator.action endpoint to create a new administrator user. The vulnerability is triggered via a request to the unauthenticated /server-info.action endpoint. The problem arises if a Confluence environment, especially the Confluence API interface, is exposed to the public internet. This vulnerability exists in both on-premises and cloud-based deployments.

Recommendations

For on-premises Atlassian Confluence deployments, the recommended action for Appgate SDP Zero Trust Network Access (ZTNA) customers is: Remove the Confluence deployment from being internet-accessible, remove its public IP addresses and serve access only to appropriately authenticated and authorized Appgate SDP users. By doing so, you can keep out the “unknowns” and allow only “known/trusted” entities to access your Confluence environment and only under appropriate circumstances.

In a cloud-based (SaaS) Atlassian Confluence deployment, customers should leverage the “IP allowlisting” (Atlassian’s IP whitelisting feature) settings in the service, setting the allowlist to contain public addresses of the Appgate Gateway(s) deployed in one of your Appgate SDP sites. This allows only these Gateways to communicate with your Confluence instance on the cloud platform. From there, the approach remains the same: only authenticated and authorized users should be granted access through Appgate SDP to the cloud-based instance of Confluence.

Additional information and IOCs from the joint advisory

Recognizing the gravity of the situation, Atlassian has labeled this vulnerability as critical. CISA, the FBI and MS-ISAC are urging network administrators to apply the upgrades provided by Atlassian immediately to fortify networks against potential breaches. In addition, the joint advisory strongly encourages organizations to proactively hunt for any suspicious activity on their networks. CISA, the FBI and MS-ISAC have provided detection signatures and indicators of compromise (IOCs) to assist in this process (see below). If any signs of compromise are detected, organizations should promptly implement recommended incident response measures as outlined in the joint advisory.

While Atlassian’s advisory offers short-term measures to temporarily mitigate known attack vectors, CISA, the FBI and MS-ISAC also stressed the importance of ultimately upgrading to a fixed version or temporarily taking servers offline to apply necessary updates and proactively guard against further exploitation.

For those seeking to reinforce network defenses, CISA, the FBI, and MS-ISAC have provided downloadable indicators of compromise (IOCs) in STIX XML and STIX JSON formats:

For existing customers still facing challenges to remediate, please reach out immediately to your Appgate SDP customer service representative.

If you are not yet an Appgate customer, we are available to discuss how Appgate SDP direct-routed ZTNA can help you quickly protect against this zero-day vulnerability ... and the next. Please contact us here.

Additional ZTNA resources

Comparison Guide: Cloud-routed vs. Direct-routed ZTNA: What’s the Difference?
Analyst report: 2023 Nemertes Real Economic Value of Appgate SDP
Blog: Universal ZTNA Advances Enterprise Innovation, Reduces OpEx and Simplies Security

Receive News and Updates From Appgate