Updated: Apr 6
A critical vulnerability in Confluence Server
It’s been a bad few weeks for Atlassian given the numerous critical vulnerabilities affecting their Confluence Server and Confluence Data Server applications. Well, not to play favourites, but this week’s Cytidel Intel Insights will again cover one of these vulnerabilities given just how impactful it could be to those of you using the application.
CVE-2022-26138 was published this Thursday 20th July 2022 after details of the vulnerability were publicly disclosed on Twitter by an external party. Given the ease at which this vulnerability can be exploited, it is almost certainly now being exploited in the wild.
What Is It?
From this week’s Confluence Security Advisory post:
When the Questions for Confluence app is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username disabledsystemuser. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to.
The hardcoded password associated with the disabledsystemuser is not different for each system and therefore, once exposed, can be used to access any accessible Confluence Server/Data Centre application with the Questions for Confluence app installed.
Why Should I Care?
This hardcoded password has since been disclosed on Twitter by an external party meaning if this vulnerability is not remediated on your system, a breach is not just a potential but likely inevitable.
The most difficult task for a threat actor is gaining a foothold into your organisation. A hacker with access to your Confluence system could easily rewrite your internally accessible Confluence pages to contain embedded URLs to malware or even ransomware and use this to gain even deeper access into your organisation.
Am I Vulnerable?
The disabledsystemuser account is only added by the Questions for Confluence app – a tool to assist Confluence administrators to migrate to the Confluence Cloud solution. If you are using this app and haven’t updated it in the past day, then yes, you are vulnerable.
If you are unsure if you have this app installed you can also check your user accounts list for the following user:
A Confluence Server or Data Center instance is affected if it has an active user account with the following information:
If this account does not show up in the list of active users, the Confluence instance is not affected.
What Can I Do?
There are two options for remediating this vulnerability. It should be noted that (while counterintuitive) uninstalling the Questions for Confluence app will not remediate this vulnerability as the disabledsystemuser account is not removed as part of the uninstallation process
Update the Questions for Confluence app to a fixed version:
2.7.x >= 2.7.38
Versions >= 3.0.5
For more information on how to update an app, refer to Atlassian's documentation.
Search for the disabledsystemuser account and either disable it or delete it. For instructions on how to disable or delete an account (including an explanation of the differences between the two options), refer to Atlassian's documentation.
For more information on weekly vulnerability trends make sure to subscribe to Cytidel on LinkedIn to keep up to date. If you have any questions on how Cytidel can help your company or organisation with its’ vulnerability management please contact firstname.lastname@example.org