Atlassian has released a security advisory to address a vulnerability (CVE-2022-26138) affecting Questions for Confluence App. An attacker could exploit this vulnerability to obtain sensitive information. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the recently disclosed Atlassian security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.
When the Questions for Confluence app is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username disabledsystemuser. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to.
The disabledsystemuser account is configured with a third party email address that is not controlled by Atlassian. If this vulnerability has not been remediated per the Fixes section below, an affected instance configured to send notifications will email that address. One example of an email notification is Recommended Updates Notifications, which contains a report of the top pages from Confluence spaces the user has permissions to view. Atlassian is actively working with the service provider for the third party email address to investigate and close the account. An external party has discovered and publicly disclosed the hardcoded password on Twitter.
How To Determine If You Are Affected:
A Confluence Server or Data Center instance is affected if it has an active user account with the following information:
It is possible for this account to be present if the Questions for Confluence app has previously been installed and uninstalled. If this account does not show up in the list of active users, the Confluence instance is not affected.
There are two options available to mitigate this security vulnerability (CVE-2022-26138).
Option 1: Update to a non-vulnerable version of Questions for Confluence
Update the Questions for Confluence app to a fixed version:
2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2)
Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)
Option 2: Disable or delete the disabledsystemuser account
Search for the disabledsystemuser account and either disable it or delete it.
Impacted customers can assess their vulnerability risk exposure to Atlassian security flaw by registering for a free trial of Tenable.io.
Current Armoryze customers should update their security scanners to CVE-2022-26138 with a remote vulnerability check released on July 29, 2022.