Atlassian has patched a critical hardcoded credentials vulnerability in Confluence Server and Data Center that could let remote, unauthenticated attackers log into vulnerable, unpatched servers.
The hardcoded password is added after installing the Questions for Confluence app (versions 2.7.34, 2.7.35, and 3.0.2) for a user account with the username disabledsystemuser — designed to help admins with the migration of data from the app to the Confluence Cloud.
According to Atlassian, the app helps improve communication with the organization’s internal Q&A team and is currently installed on over 8,000 Confluence servers.
“The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default,” the company explained in a security advisory published on Wednesday.
“A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to.”
Atlassian says it has no evidence and is yet to receive reports that the vulnerability (tracked as CVE-2022-26138) is being exploited in the wild.
However, the company warned that “the hardcoded password is trivial to obtain after downloading and reviewing affected versions of the app.”
Questions for Confluence 2.7.x
Questions for Confluence 3.0.x
Update to a patched version as soon as possible
Admins who want to determine if their servers are affected by this hardcoded credentials security flaw have to check for an active user account with the following info:
On affected servers, uninstalling the Questions for Confluence app does not remediate this vulnerability and will not remove the attack vector (i.e., the disabledsystemuser account with a hardcoded password).
To fix the issue until you install the update, Atlassian recommends updating to a patched version of Questions for Confluence or disabling/deleting the disabledsystemuser account.
Updating the Questions for Confluence app to a fixed version (versions 2.7.x >= 2.7.38 or versions higher than 3.0.5) will stop creating the problematic user account and remove it if present.
To disable or delete the account, you can use the detailed steps provided in this support document.
To look for evidence of exploitation on your servers, you should check the last authentication time for disabledsystemuser by following these instructions. If the result is null, it means the account exists on the system, but no one has signed in using it.