Atlassian on Thursday urged organizations using its Questions for Confluence app to immediately update to the latest version of the software or to apply a mitigation measure to protect against a critical vulnerability in the product — one of three critical bugs disclosed by the vendor this week.
The “patch now” advice was prompted by the public disclosure of a hardcoded password associated with the Questions app that gives a remote, unauthenticated attacker a way to log into Confluence and access all content in the broader confluence-users group.
Many organizations use Confluence for project management and collaboration among teams scattered across on-premises and remote locations. Often Confluence environments can house sensitive data on projects that an organization might be working on, or on its customers and partners.
The Questions app meanwhile allows for a Q&A/crowdsourcing function within a given workspace.
The problem primarily impacts organizations using Questions for Confluence Server and Data Center versions 2.7.34, 2.7.35, and 3.0.2 of the app. However, even organizations using other versions of Confluence could potentially be affected, Atlassian said. The vulnerability does not affect the Questions for Confluence app for Confluence Cloud.
Bracing for Exploits
“The issue is likely to be exploited in the wild now that the hardcoded password is publicly known,” Atlassian warned. “This vulnerability (CVE-2022-26138) should be remediated on affected systems immediately,” the vendor said.
Atlassian disclosed the bug on Wednesday. The company described the issue as resulting from a Confluence user account that is created when the Questions for Confluence app is enabled either on Confluence Data Center or Confluence Server. The user account — with the username “disabledsystemuser” — is designed to help administrators migrating data from these apps to Confluence Cloud.
But the account is created with a hardcoded password that is added to the confluence-users group. This allows attackers to view and edit all non-restricted pages within the Confluence user-group by default, according to Atlassian. So, any attacker with knowledge of the password can log in remotely to the Confluence collaboration environment and access whatever content other users in the group can access, the software vendor said.
Soon after Atlassian’s advisory Wednesday, a security researcher published the hardcoded password on Twitter, prompting Atlassian’s urgent update Thursday.
The company’s advisory provided details on how organizations can determine if they are affected by the vulnerability or might have already been compromised via an exploit targeting the flaw. Atlassian urged organizations to update to versions 2.7.38 or 3.0.5 of the software or to disable or delete the disabledsystemuser account.
Importantly, merely uninstalling the Questions for Confluence application would not remediate against the vulnerability because the disabledsystemuser account would still remain in place after the app is removed, Atlassian warned.
Two Other Critical Vulnerabilities
The other two critical vulnerabilities that were disclosed (CVE-2022-26136
and CVE-2022-26137) exist in multiple versions of almost all Atlassian products. These include Bamboo Server and Data Center, Bitbucket Server and Data Center, Confluence Server and Data Center, Crowd Server and Data Center, Jira Server and Data Center, and Jira Service Management Server and Data Center.
CVE-2022-26136 is an authentication-bypass vulnerability in Java code called Servlet Filter for intercepting and processing HTTP requests from and to a client and a backend system. The vulnerability gives attackers a way to use a specially crafted HTTP request to bypass Servlet Filters that third-party apps might use to enforce authentication.
The same vulnerability also allows attackers to use specially crafted HTTP requests to trick users into executing arbitrary JavaScript in the user’s browser.
Atlassian said it had been able to confirm such attacks are possible but has still not been able to determine all third-party apps that might be affected by the issue.
The flaw tracked as CVE-2022-26137 also exists in Servlet Filter and gives remote, unauthenticated attackers a way to access vulnerable applications by using a specially crafted HTTP request to trick users into requesting a malicious URL. Atlassian has released updated versions of its software for all affected products to address these vulnerabilities.
Atlassian’s Ongoing Cybersecurity Woes
The latest flaws mark the second time in the past two months that organizations using Atlassian’s technology have been forced to scramble to fix serious flaws in its products.
In early June, the company disclosed a critical remote code-execution vulnerability (RCE) impacting all supported versions of Confluence Server and Data Center. The bug (CVE-2022-26134) gave unauthenticated attackers a way to drop a Web shell on affected systems. It generated considerable concern because threat actors had already begun exploiting it by the time the company issued a fix for it.
Attackers quickly began actively exploiting the flaw to distribute a variety of malware, including Mirai bot variants, cryptominers, ransomware and the Cobalt Strike post-exploit attack kit. Many of the attacks were automated in nature.
An analysis by Barracuda showed that 45% of attempts to exploit the vulnerability were from Russia-based IP addresses; 25% percent of the exploit attacks were from the US; and 11% originated from IP addresses in India.