An Atlassian critical Confluence hardcoded credentials vulnerability that was fixed last week is now under active exploitation.
The flaw (CVE-2022-26138) can be exploited by a remote, unauthenticated attacker that knows the hardcoded password for a specific account on the Questions for Confluence app in order to gain access to all non-restricted pages in Confluence. Atlassian fixed the flaw on July 20, but the company a day later warned that an external party had publicly disclosed the hardcoded password on Twitter, and the flaw was likely to be exploited.
“Unsurprisingly, it didn’t take long for Rapid7 to observe exploitation once the hardcoded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execute ransomware attacks,” said Glenn Thorpe with Rapid7 in a Wednesday analysis.
The flaw stems from the disabledsystemuser account that helps assist administrators migrating data from the app to Confluence cloud. When a disabledsystemuser account is created on the Questions for Confluence app, it uses a hardcoded password. From there, the account is added to the confluence-users group, which allows the viewing and editing of all non-restricted pages in Confluence by default. The flaw only exists when the Questions for Confluence app is enabled, with the specific impacted versions including Questions for Confluence 2.7.34 and 2.7.35, and Questions for Confluence 3.0.2. That said, uninstalling the Questions for Confluence app does not remediate the flaw, Atlassian warned.
"Exploitation efforts at this point do not seem to be very widespread, though we expect that to change. The good news is that the vulnerability is in the Questions for Confluence app and not in Confluence itself, which reduces the attack surface significantly," said Erick Galinkin, principal artificial intelligence researcher at Rapid7. "At this point, the vulnerability has been public for a relatively short amount of time. Coupled with the absence of meaningful post-exploitation activity, we don't yet have any threat actors attributed to the attacks."
Atlassian announced the issue along with two other critical bugs that exist in the Servlet Filters in Java. These flaws (CVE-2022-26136 and CVE-2022-26137) can be exploited by remote unauthenticated attackers.
Both Rapid7 researchers and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged impacted organizations to mitigate the vulnerability immediately, especially because attackers place a high value on Atlassian products. Previously in June, for instance, threat actors targeted a zero-day flaw (CVE-2022-26134) in the Atlassian Confluence Server and Data Center that allowed remote code execution without authentication. Attackers, including nation-state actors, exploited the flaw in order to deploy web shells, botnets, cryptocurrency mining malware and ransomware.
“Organizations using on-prem Confluence should follow Atlassian’s guidance on updating their instance or disabling/deleting the account,” said Thorpe.