When exploits started targeting Atlassian Confluence - CVE-2023-22515 and CVE-2023-22518 - I needed to understand the risk quickly. Confluence is widely deployed, including by Peakhour clients, so the immediate question was what practical advice we could give them.
I started with CVE-2023-22515 and CVE-2023-22518. These were not minor bugs. Attackers could create unauthorised admin accounts, which puts the confidentiality, integrity, and availability of Confluence data directly at risk.
Paul from Secure Stack has already done an excellent analysis of the situation and identified the likely scope of the problem. It is worth reading for background; the timeline below is unashamedly lifted from that article.
The Timeline So Far
-
CVE-2023-22515 Impact Analysis: This bug initially hit versions 8.0.x to 8.5.3 of Confluence Server and Data Center products. The cloud SaaS versions were spared. Given Confluence's use in large organisations that do not always update quickly, the scope was still large.
-
Dealing with CVE-2023-22518: A week later, CVE-2023-22518 appeared. It started with a CVSS score of 9.1 and affected every single version of Confluence ever released. That put organisations outside the first CVE's affected range back in scope.
-
The Severity Upgrade of CVE-2023-22518: On November 7th, 2023, Atlassian raised the severity of CVE-2023-22518 to a CVSS score of 10. Ransomware exploitation had been detected and, like CVE-2023-22515, it allowed the creation of admin accounts.
Looking to EPSS for advice
For these CVEs, I leaned heavily on the Exploit Prediction Scoring System (EPSS). EPSS combines CVE information with real-world exploitation data. It estimates the likelihood of a CVE being exploited in the next 30 days and returns a score between 0 and 1 - the higher the score, the higher the risk. Read more about the applicability of EPSS for scoring vulnerabilities.
EPSS Score Changes I Observed
A major update landed on October 10, 2023, when new threat intelligence came in. The EPSS score for CVE-2023-22515 moved sharply after October 10th, indicating a higher threat level due to active exploitation.
As seen in the descending date table:
| Date | EPSS Score | Percentile |
|---|---|---|
| 2023-10-13 | 0.93527 | 0.98809 |
| 2023-10-12 | 0.93527 | 0.98809 |
| 2023-10-11 | 0.93527 | 0.98808 |
| 2023-10-10 | 0.00126 | 0.46728 |
| 2023-10-09 | 0.00126 | 0.46716 |
CVE-2023-22518 was still moving, with a score change the day before publication:
| Date | EPSS Score | Percentile |
|---|---|---|
| 2023-11-08 | 0.01852 | 0.86954 |
| 2023-11-07 | 0.00061 | 0.24385 |
| 2023-11-06 | 0.00054 | 0.20098 |
| 2023-11-05 | 0.00054 | 0.20099 |
| 2023-11-03 | 0.00054 | 0.20098 |
| 2023-11-02 | 0.00043 | 0.07260 |
| 2023-11-01 | 0.00043 | 0.07283 |
This table shows a significant increase in the EPSS score from November 1st to November 8th, indicating an escalating likelihood of exploitation.
Making Sense of the EPSS Score Changes
These shifts in EPSS scores tied in with Atlassian's vendor changelog reports:
-
31 Oct 2023: Atlassian's CISO sent an alert about significant data loss potential. No active exploits were reported yet, but the warning was clear.
-
02 Nov 2023: Critical information about the vulnerability was posted publicly, increasing the risk of exploitation.
-
03 Nov 2023: A customer reported an active exploit. That was a clear signal for anyone who had not patched.
-
06 Nov 2023: Several active exploits and ransomware uses were observed, leading to the CVSS score escalation for CVE-2023-22518.
I also checked the CVSS scores. For CVE-2023-22515, it stood at a perfect 10.0. The EPSS score for CVE-2023-22518 also showed notable fluctuations, reflecting an increasing likelihood of exploitation.
EPSS vs. CVSS in My Vulnerability Management Approach
I use EPSS as a gauge of exploitation probability. It is threat-focused, but it is not the whole picture. Asset accessibility, vulnerability type, and asset value also matter. I use EPSS alongside CVSS to get a clearer view of what we are dealing with. It is also useful to see how the CVSS scores map to EPSS severity.
Are Peakhour Clients Protected?
With the public exploit information in hand, I turned to ClickHouse to see what was happening in practice. We quickly observed active scanning. Our IP Reputation lists were also categorising those IPs, so clients using the lists correctly had another control to keep these requests away from exposed services.
This is an active list of IPs we are seeing probing for CVE-2023-2215
| Client IP | IP Reputation Category |
|---|---|
| 178.250.189.169 | hosting |
| 185.220.101.57 | other, dos, spam, attacks, tor, hosting, datacenter |
| 193.187.172.73 | hosting |
| 45.134.26.2 | other |
| 45.94.211.81 | hosting, datacenter |
| 46.231.179.42 | datacenter, hosting |
| 46.38.255.27 | other, dos, spam, attacks, tor, hosting, datacenter |
| 95.111.246.11 | datacenter, hosting |
| 95.85.78.75 | datacenter, hosting |
This is a larger list probing for already compromised instances
| Client IP | IP Reputation Categories |
|---|---|
| 104.234.140.11 | webattacks, hosting, datacenter |
| 104.234.140.21 | hosting, datacenter |
| 104.234.140.4 | hosting, datacenter |
| 104.234.140.8 | webattacks, hosting, datacenter |
| 144.172.76.65 | hosting, datacenter, attacks |
| 162.240.159.247 | hosting, datacenter |
| 172.233.176.52 | hosting, datacenter |
| 178.250.189.169 | hosting |
| 185.220.101.57 | other, dos, spam, attacks, tor, hosting, datacenter |
| 193.187.172.73 | hosting |
| 193.29.56.19 | hosting |
| 20.68.177.203 | hosting, datacenter |
| 203.145.142.86 | attacks, bots |
| 37.221.173.253 | hosting, datacenter |
| 45.134.26.2 | other |
| 45.248.160.61 | bots |
| 45.94.211.81 | hoisting, datacenter |
| 46.231.179.42 | datacenter, hosting |
| 46.38.255.27 | other, dos, spam, attacks, tor, hosting, datacenter |
| 54.161.151.64 | hosting, datacenter |
| 92.119.179.90 | datacenter |
| 95.111.246.11 | datacenter, hosting |
| 95.85.78.75 | datacenter, hosting |
This is where real-time threat intelligence earns its place in active security controls. It helps keep you under the radar and gives you early intelligence on the actors probing your applications.
We also saw evidence of follow-up attacks after the scan.
What other protections could be applied
Bot mitigation and web application firewalls (WAFs) still matter here. Bot controls help block automated abuse, including credential stuffing, scraping, and DDoS attacks. They also help distinguish legitimate human traffic from automated traffic, reducing the chance that malicious bots can exploit vulnerabilities still waiting to be patched or worked through the backlog.
Web Application Firewalls provide a separate enforcement point for web applications. They monitor, filter, and block potentially harmful requests using predefined or customisable rules, including rules for common web-based attacks such as SQL injection, cross-site scripting (XSS), and other attacks that exploit known vulnerabilities. WAF rules can be adjusted quickly as threats change. Together, bot mitigation and WAFs improve an organisation's ability to reduce exposure across a wide range of web threats.
Addressing the Backlog of Security Vulnerabilities and Patch Timelines
The Challenge of a Growing Vulnerability Backlog
Many security teams are dealing with a growing vulnerability backlog. The data is uncomfortable: 47% of security leaders report having a backlog of applications identified as vulnerable. More concerning, 66% state their backlog includes over 100,000 vulnerabilities. That accumulation matters because vulnerabilities are potential entry points for cyberattacks.
Patching Pace vs. Vulnerability Escalation
Compare that with the escalation timeline from the EPSS and CVSS data. CVE-2023-22515 and CVE-2023-22518 are useful examples:
-
CVE-2023-22515 and CVE-2023-22518 Escalation: These vulnerabilities escalated quickly in severity and exploitability. For instance, CVE-2023-22518's CVSS score escalated to 10, and its EPSS probability score indicated a high likelihood of exploitation shortly after discovery.
-
Patch Timelines: The data indicates that 78% of respondents take longer than 3 weeks to patch high-risk vulnerabilities, with 29% needing more than 5 weeks. That delay matters when vulnerabilities like CVE-2023-22515 and CVE-2023-22518 are escalating and being exploited quickly.
The Gap Between Detection and Remediation
The gap between fast vulnerability escalation and slow patching is a real weakness in security defences. A rapid increase in EPSS scores for vulnerabilities like CVE-2023-22518 signals an immediate threat, yet many organisations still have a lengthy patching process. During that window, the risk of exploitation remains high.
If I could take one scoring system to an island, which would I take?
Both the Exploit Prediction Scoring System (EPSS) and the Common Vulnerability Scoring System (CVSS) are useful, but they answer different questions. My preference leans towards EPSS because it states the likelihood of exploitation directly. A probability score is easier to act on when the question is what needs attention now.
That direct approach makes EPSS useful when explaining urgency to both technical and non-technical staff. It avoids some of the translation work that comes with security jargon and helps teams prioritise vulnerabilities quickly.
CVSS is still useful for understanding how critical a vulnerability is. It focuses on severity, including factors such as impact and exploitability. What it does not always show as plainly is the immediate threat level, and that is where EPSS is easier to use.
What next from here?
Viewed through Confluence-Ageddon, EPSS and CVSS are useful together, but they do different jobs. If you need immediate defence, reach out; we can help protect your self-hosted Confluence with a simple DNS change.
