Software giant, Atlassian, has warned of a critical security flaw that could lead to what it termed “significant data loss” for customers, coming just weeks after Chinese state-backed hackers allegedly targeted its products.
In an advisory, the Australian company urged customers to patch against the flaw affecting on-premise versions of Atlassian Confluence Data Center and Server, a widely popular collaborative wiki system used by businesses to organize and share work.
According to sources, the Atlassian Confluence Data Center and Server system was recently the target of Chinese state-sponsored hackers, who exploited a separate 10.0 maximum-rated vulnerability, Storm-0062, to compromise some Atlassian customers data.
This latest vulnerability, tracked as CVE-2023-22518 and rated 9.1 out of 10 on the vulnerability severity scoring system, has been described as an instance of “improper authorization vulnerability.”
Meanwhile Atlassian has stated in an advisory that there were no reports of active exploitation as of October 31, and that there was no impact to confidentiality. The company has insisted that an attacker cannot exfiltrate any instance data.
The advisory explains that Atlassian Cloud sites accessed via an atlassian.net domain are also unaffected by the vulnerability but then the company has warned that it could lead to “significant data loss if exploited by an unauthenticated attacker.”
It also included a message from Atlassian CISO Bala Sathiamurthy, who said that while the flaw is not yet being actively exploited, customers must take “immediate action” to protect their instances.
The advisory warns that all publicly accessible Confluence Data Center and Server versions “are at critical risk and require immediate attention.” Atlassian urged administrators to upgrade to a fixed version without delay, and added that if the action proved difficult temporary mitigations must be applied.
“Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch,” the company added.
Philips Babatunde