Atlassian is urging users to apply available fixes for a critical hardcoded credentials vulnerability in the Confluence Server and Data Center, after an external party discovered and publicly disclosed the hardcoded password on Twitter.
In its initial release on Wednesday, Atlassian said that a remote, unauthenticated attacker that knows the hardcoded password for a specific account on the Questions for Confluence app - which Atlassian describes as a "community-driven Q&A forum on Confluence" - could exploit the flaw (CVE-2022-26138) in order to gain access to pages available to the confluence-users group. The issue has now become more time sensitive as the hardcoded password is circulating on social media, said Atlassian in a Thursday update to the security advisory.
“An external party has discovered and publicly disclosed the hardcoded password on Twitter,” according to the update to the Atlassian security advisory. "This issue is likely to be exploited in the wild now that the hardcoded password is publicly known. This vulnerability should be remediated on affected systems immediately."
The issue involves the disabledsystemuser account, which is intended to help assist administrators migrating data from the app to Confluence cloud. When this type of account is created on the Questions for Confluence app, it uses a hardcoded password. From there, the account is added to the confluence-users group, which allows the viewing and editing of all non-restricted pages in Confluence by default.
According to the security advisory, in order to remediate the issue users can either update to a non-vulnerable versions of Questions for Confluence or disable or delete the disabledsystemuser account.
"Uninstalling the Questions for Confluence app does not remediate this vulnerability. The disabledsystemuser account does not automatically get removed after the app has been uninstalled,” according to Atlassian.
The specific versions that are impacted by the flaw include Questions for Confluence 2.7.34 and 2.7.35, and Questions for Confluence 3.0.2. According to the security advisory, the Confluence Server and Data Center is impacted if it involves an active user account that includes the user/username “disabledsystemuser” and the email “dontdeletethisuser@email[.]com.” If this type of account does not show up in the list of active users, the Confluence instance is not affected, the company noted.
Vulnerabilities in Atlassian products have previously been targeted by attackers. In June, threat actors exploited a zero-day flaw in the Atlassian Confluence Server and Data Center that allowed remote code execution without authentication. Attackers, including nation-state actors, quickly closed in on the flaw in order to deploy web shells, botnets, cryptocurrency mining malware and ransomware.