Atlassian

Atlassian has patched a critical hardcoded credentials vulnerability in Confluence Server and Data Center that could let remote, unauthenticated attackers log into vulnerable, unpatched servers.

The hardcoded password is added after installing the Questions for Confluence app (versions 2.7.34, 2.7.35, and 3.0.2) for a user account with the username disabledsystemuser — designed to help admins with the migration of data from the app to the Confluence Cloud.

According to Atlassian, the app helps improve communication with the organization's internal Q&A team and is currently installed on over 8,000 Confluence servers.

"The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default," the company explained in a security advisory published on Wednesday.

"A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to."

Atlassian says it has no evidence and is yet to receive reports that the vulnerability (tracked as CVE-2022-26138) is being exploited in the wild.

However, the company warned that "the hardcoded password is trivial to obtain after downloading and reviewing affected versions of the app."

Affected app Affected versions
Questions for Confluence 2.7.x
  • 2.7.34
  • 2.7.35
Questions for Confluence 3.0.x
  • 3.0.2

Update to a patched version as soon as possible

Admins who want to determine if their servers are affected by this hardcoded credentials security flaw have to check for an active user account with the following info:

  • User: disabledsystemuser
  • Username: disabledsystemuser
  • Email: dontdeletethisuser@email.com

On affected servers, uninstalling the Questions for Confluence app does not remediate this vulnerability and will not remove the attack vector (i.e., the disabledsystemuser account with a hardcoded password).

To fix the issue until you install the update, Atlassian recommends updating to a patched version of Questions for Confluence or disabling/deleting the disabledsystemuser account.

Updating the Questions for Confluence app to a fixed version (versions 2.7.x >= 2.7.38 or versions higher than 3.0.5) will stop creating the problematic user account and remove it if present.

To disable or delete the account, you can use the detailed steps provided in this support document.

To look for evidence of exploitation on your servers, you should check the last authentication time for disabledsystemuser by following these instructions. If the result is null, it means the account exists on the system, but no one has signed in using it.

Related Articles:

PuTTY SSH client flaw allows recovery of cryptographic private keys

Palo Alto Networks warns of PAN-OS firewall zero-day used in attacks

Telegram fixes Windows app zero-day used to launch Python scripts

Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs

Critical Rust flaw enables Windows command injection attacks