Atlassian has warned customers that a vulnerability in Questions for Confluence will likely be used in attacks after someone made public a piece of information needed to exploit a recently addressed vulnerability.
A knowledge sharing application, Questions for Confluence helps Confluence users quickly access information or share it with others, as well as to connect with experts when needed. The application is a paid, optional add-on and is not installed by default on Confluence.
Last week, Atlassian announced patches for a critical vulnerability in the application that impacts the Confluence Server and Data Center products.
Tracked as CVE-2022-26138, the security issue exists because, when enabled on the impacted products, Questions for Confluence creates a user account with the username disabledsystemuser and a hardcoded password.
Because the user account is added to the confluence-users group, it has access to non-restricted pages within Confluence.
Late last week, Atlassian updated its advisory to warn that someone has made the hardcoded password public, and to provide additional information on how to resolve the bug and look for indicators of compromise.
“An external party has discovered and publicly disclosed the hardcoded password on Twitter. It is important to remediate this vulnerability on affected systems immediately,” Atlassian’s updated advisory reads.
“This issue is likely to be exploited in the wild now that the hardcoded password is publicly known. This vulnerability should be remediated on affected systems immediately,” the advisory continues.
According to Atlassian, Questions for Confluence currently has over 8,000 installations. Systems running Questions for Confluence 2.7.34, 2.7.35, or 3.0.2 are impacted, even if the application has been removed.
“Uninstalling the Questions for Confluence app does not remediate this vulnerability. The disabledsystemuser account does not automatically get removed after the app has been uninstalled,” Atlassian warns.
The vulnerability was resolved with the release of Questions for Confluence versions 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2) and 3.0.5 (compatible with Confluence 7.16.3 and later), which no longer contain the hardcoded password and also remove the disabledsystemuser account if it was previously created.
However, Atlassian warns that, if Confluence is configured to use a read-only external directory, users need to manually search for the disabledsystemuser user account and delete or disable it.
“We recommend updating the Questions for Confluence app which will remove this user from the system. If this isn’t possible for any reason, you should disable or delete the user,” Atlassian notes in an FAQ for CVE-2022-26138.