Monday, December 23, 2024

Atlassian Patches critical Confluence hardcoded credentials flaw

Atlassian has patched a critical hardcoded credentials vulnerability in Confluence Server and Data Center that could let remote, unauthenticated attackers log into vulnerable, unpatched servers.

The hardcoded password is added after installing the Questions for Confluence app (versions 2.7.34, 2.7.35, and 3.0.2) for a user account with the username disabledsystemuser — designed to help admins with the migration of data from the app to the Confluence Cloud.

According to Atlassian, the app helps improve communication with the organization’s internal Q&A team and is currently installed on over 8,000 Confluence servers.

“The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default,” the company explained in a security advisory published on Wednesday.

“A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to.”

Atlassian says it has no evidence and is yet to receive reports that the vulnerability (tracked as CVE-2022-26138) is being exploited in the wild.

However, the company warned that “the hardcoded password is trivial to obtain after downloading and reviewing affected versions of the app.”

Affected appAffected versions
Questions for Confluence 2.7.x2.7.342.7.35
Questions for Confluence 3.0.x3.0.2

Update to a patched version as soon as possible

Admins who want to determine if their servers are affected by this hardcoded credentials security flaw have to check for an active user account with the following info:

  • User: disabledsystemuser
  • Username: disabledsystemuser
  • Email: dontdeletethisuser@email.com
Recommended:  AIX 5.3L /usr/sbin/lquerypv local root privilege escalation

On affected servers, uninstalling the Questions for Confluence app does not remediate this vulnerability and will not remove the attack vector (i.e., the disabledsystemuser account with a hardcoded password).

How to patch

To fix the issue until you install the update, Atlassian recommends updating to a patched version of Questions for Confluence or disabling/deleting the disabledsystemuser account.

Updating the Questions for Confluence app to a fixed version (versions 2.7.x >= 2.7.38 or versions higher than 3.0.5) will stop creating the problematic user account and remove it if present.

To disable or delete the account, you can use the detailed steps provided in this support document.

To look for evidence of exploitation on your servers, you should check the last authentication time for disabledsystemuser by following these instructions. If the result is null, it means the account exists on the system, but no one has signed in using it.

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose
Recommended:  OctoBot WebInterface - Remote Code Execution (RCE) - 0.4.3
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates

explore

more

security