What’s worse than a widely used Internet-connected business app with a hard-coded password? Try the said company app after the hardcoded password has been leaked to the world.
Atlassian disclosed three critical product vulnerabilities on Wednesday, including CVE-2022-26138 that stems from a hard-coded password in Questions for Confluence, an app that allows users to quickly receive support for frequently asked questions involving Atlassian products. The company warned that the password was “trivial to obtain.”
The company said Questions for Confluence had 8,055 installs at the time of publication. Once installed, the app creates a Confluence user account called disabledsystemuser, which is intended to help administrators move data between the app and the Confluence Cloud service. The hardcoded password protecting this account allows viewing and editing of all non-restricted pages in Confluence.
“A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and gain access to all pages accessed by the group of confluence users,” the company said. “It is important to patch this vulnerability on affected systems immediately.”
A day later, Atlassian was back to report that “an external party has discovered and publicly disclosed the hard-coded password on Twitter,” prompting the company to increase its warnings.
“This issue is likely to be exploited in the wild now that the hardcoded password is publicly known,” the updated message said. “This vulnerability should be patched on affected systems immediately.”
The company warned that even when Confluence installations do not actively have the app installed, they may still be vulnerable. Uninstalling the app does not automatically fix the security issue because the disabled system user account may still reside on the system.
To determine if a system is vulnerable, Atlassian advised Confluence users to search for accounts with the following information:
- User: disabled system user
- Username: disabled system user
- Email: email@example.com
Atlassian provided more instructions for finding such accounts here. The vulnerability affects Questions for Confluence versions 2.7.x and 3.0.x. Atlassian gave customers two ways to fix the problem: disable or remove the “disabledsystemuser” account. The company has also published this list of answers to frequently asked questions.
Confluence users looking for evidence of exploitation can check the last authentication time of disabledsystemuser using the instructions here. If the result is null, the account exists on the system, but no one has yet logged in with it. The commands also list all recent login attempts that were successful or failed.
“Now that the patches are out, expect patch diffs and reverse engineering to produce a public POC in a fairly short period of time,” Casey Ellis, founder of vulnerability reporting service Bugcrowd, wrote in a direct message. “Atlassian shops should start patching public products immediately, and those behind the firewall as quickly as possible. The comments in the advisory recommending against proxy filtering as a mitigation suggest that there are multiple trigger paths.
The other two vulnerabilities Atlassian revealed on Wednesday are also serious, affecting the following products:
- Bamboo server and data center
- Bitbucket Server and Data Center
- Confluence Server and Data Center
- Crowd server and data center
- Jira server and data center
- Jira Service Management Server and Data Center
Tracked as CVE-2022-26136 and CVE-2022-26137, these vulnerabilities allow remote, unauthenticated hackers to bypass Servlet filters used by first- and third-party apps.
“The impact depends on which filters are applied by each app and how the filters are applied,” the company said. “Atlassian has released updates that fix the cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability.”
Vulnerable Confluence servers have long been a favorite opening for hackers looking to install ransomware, cryptominers, and other forms of malware. The vulnerabilities Atlassian disclosed this week are serious enough that administrators should prioritize a thorough review of their systems, ideally before the weekend starts.