Dear customer,
On Oct 30 2023 (21:00 PDT), Atlassian issued a Security Advisory for Confluence Data Center and Confluence Server.
The Cloud versions of the applications as well as other Atlassian products are not affected.
What you need to know
An Important Message from Bala Sathiamurthy, Chief Information Security Officer (CISO)
As part of our continuous security assessment processes, we have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker. There are no reports of active exploitation at this time; however, customers must take immediate action to protect their instances. Please read the Critical Security Advisory below for instructions and vulnerability details.
Protecting customers' instances is our top priority, and our prompt response demonstrates our dedication to ensuring the safety of our customers and your data. Atlassian is always reviewing security measures to reduce security risks and support our customers in taking timely action. Customers can expect to receive high-priority patches outside of our monthly advisory schedule as necessary. We believe that taking proactive action is the best approach and we appreciate your ongoing partnership.
All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. There is no impact to confidentiality as an attacker cannot exfiltrate any instance data.
Publicly accessible Confluence Data Center and Server versions as listed below are at critical risk and require immediate attention. See ‘What You Need to Do’ for detailed instructions.
Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Affected Versions
This Improper Authorization vulnerability affects all versions prior to the listed fix versions of Confluence Data Center and Server. Atlassian recommends patching to the fixed LTS version or later.
| Product | Affected Versions |
|---|---|
| Confluence Data Center and Server | All versions are affected |
What should I do?
You use Confluence Data Center and Server
Update
Atlassian recommends that you patch each of your affected installations to one of the listed fixed versions (or any later version) below.
| Product | Fixed Versions |
|---|---|
| Confluence Data Center and Server |
|
Mitigation
Apply temporary mitigations if unable to patch
- Back up your instance. (Instructions: https://confluence.atlassian.com/doc/back-up-a-site-152405.html)
- Remove your instance from the internet until you can patch, if possible. Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch.
You use Confluence Cloud
You are not affected by this Security Advisory. No need for action.
You use Confluence Server or Data Center on servers operated by bitvoodoo
Update
We will contact our customers to offer them an update soon as possible. Please be aware that we currently experience a very high workload and we will also have to prioritize our customers with a LTS update package.
Please, apply the mitigation meanwhile.
Mitigation
Apply temporary mitigations if unable to patch
- Back up your instance. (Instructions: https://confluence.atlassian.com/doc/back-up-a-site-152405.html)
- Remove your instance from the internet until you can patch, if possible. Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch.
Update
LTS Update Package Customers will get contacted to discuss the need and planning of an update. Please be aware that we currently experience a very high workload.
Support
If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.