As well as upgrading, customers can follow "Can we determine if Confluence has already been compromised?", which is available in this FAQ, to check for indicators of compromise. If any evidence is found, you should assume that your instance has been compromised and evaluate the risk of flow-on effects.

If you believe your Confluence instance was compromised, contact Atlassian Support as Atlassian assistance is required to recover and protect your instance. Please include web server access logs (with the IP address of the attacker) in the data that is provided for further investigation.

We strongly recommend involving your local security team for further investigation. If it is determined that your Confluence Server/DC instance has been compromised, our advice is to immediately shut down and disconnect the server from the network/Internet. Also, you may want to immediately shut down any other systems which potentially share a user base or have common username/password combinations with the compromised system.

1. On each node, modify //confluence/WEB-INF/web.xml  and add the following block of code (just before the tag at the end of the file):

Additionally, you can mitigate known attack vectors for this vulnerability by blocking access to the /setup/* endpoints on Confluence instances. This is possible at the network layer or by making the following changes to Confluence configuration files.

If you are unable to upgrade Confluence, as an interim measure we recommend restricting external network access to the affected instance.

This page contains frequently asked questions and answers about this vulnerability. The Atlassian Security Team will update this page as new information becomes available.

If the Confluence instance cannot be accessed from the general internet, the risk of an exploit/attack originating from there is reduced.

Yes! While ensuring instances are not exposed to the public internet greatly reduces the attack surface, we strongly recommend applying the latest version security patch.

The mitigation prevents any Confluence administrators from triggering Confluence setup actions, this includes setting up Confluence from scratch or migrating to and from Data Center. If these actions are required you will need to remove these lines from the web.xml file. Please re-add these lines if you are not running a fixed version of Confluence.

If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

The Confluence Data Center and Server versions listed below are affected by this vulnerability. Publicly accessible Confluence Data Center and Server versions as listed below are at critical risk and require immediate attention. Customers using these versions should upgrade your instance as soon as possible.

Please work with your local security team or a specialist security forensics firm for further investigation, and contact Atlassian Support for additional assistance.

The mitigation actions noted in the Advisory are not a replacement for upgrading your instance; you must upgrade as soon as possible. The mitigation steps will block an attacker's ability to create an administrator account in Confluence, however, it won’t prevent an attacker from continuously trying to exploit the instance which may result in a Denial of Service attack. Once the upgrade is complete, you will no longer receive the HTTP Status errors or redirects to /setup/finishsetup.action.

Before doing anything else you will need to work with your local security team to identify the scope of the breach and your recovery options. If your Confluence instances have been compromised by CVE-2023-22515, threat attackers hold full administrative access and can perform any number of unfettered actions including - but not limited to - exfiltration of content and system credentials, and installation of malicious plugins.

We do our best to ensure that the products that you order are delivered to you in full and according to your specifications. However, should you receive an incomplete order, or items different from the ones you ordered, or there is some other reason why you are not satisfied with the order, you may return the order, or any products included in the order, and receive a full refund for the items. View full return policy

Due to the critical nature of this vulnerability and the variety of ways in which instances can be accessed, please work with local network/security team(s) to determine if mitigation is needed. However, out of an abundance of caution, the guidance on the Confluence Security Advisory page for CVE-2023-22515 still applies.

Atlassian recommends that you upgrade each of your affected installations to one of the listed fixed versions (or any later version) below.