Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Atlassian Expects Confluence App Exploitation After Hardcoded Password Leak

Atlassian has warned customers that a vulnerability in Questions for Confluence will likely be used in attacks after someone made public a piece of information needed to exploit a recently addressed vulnerability.

Atlassian has warned customers that a vulnerability in Questions for Confluence will likely be used in attacks after someone made public a piece of information needed to exploit a recently addressed vulnerability.

A knowledge sharing application, Questions for Confluence helps Confluence users quickly access information or share it with others, as well as to connect with experts when needed. The application is a paid, optional add-on and is not installed by default on Confluence.

Last week, Atlassian announced patches for a critical vulnerability in the application that impacts the Confluence Server and Data Center products.

Tracked as CVE-2022-26138, the security issue exists because, when enabled on the impacted products, Questions for Confluence creates a user account with the username disabledsystemuser and a hardcoded password.

Because the user account is added to the confluence-users group, it has access to non-restricted pages within Confluence.

Late last week, Atlassian updated its advisory to warn that someone has made the hardcoded password public, and to provide additional information on how to resolve the bug and look for indicators of compromise.

“An external party has discovered and publicly disclosed the hardcoded password on Twitter. It is important to remediate this vulnerability on affected systems immediately,” Atlassian’s updated advisory reads.

“This issue is likely to be exploited in the wild now that the hardcoded password is publicly known. This vulnerability should be remediated on affected systems immediately,” the advisory continues.

Advertisement. Scroll to continue reading.

According to Atlassian, Questions for Confluence currently has over 8,000 installations. Systems running Questions for Confluence 2.7.34, 2.7.35, or 3.0.2 are impacted, even if the application has been removed.

“Uninstalling the Questions for Confluence app does not remediate this vulnerability. The disabledsystemuser account does not automatically get removed after the app has been uninstalled,” Atlassian warns.

The vulnerability was resolved with the release of Questions for Confluence versions 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2) and 3.0.5 (compatible with Confluence 7.16.3 and later), which no longer contain the hardcoded password and also remove the disabledsystemuser account if it was previously created.

However, Atlassian warns that, if Confluence is configured to use a read-only external directory, users need to manually search for the disabledsystemuser user account and delete or disable it.

“We recommend updating the Questions for Confluence app which will remove this user from the system. If this isn’t possible for any reason, you should disable or delete the user,” Atlassian notes in an FAQ for CVE-2022-26138.

Related: Atlassian Patches Servlet Filter Vulnerabilities Impacting Multiple Products

Related: Cisco Patches Severe Vulnerabilities in Nexus Dashboard

Related: Oracle Releases 349 New Security Patches With July 2022 CPU

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.