What’s worse than a widely deployed, internet-connected enterprise application with a hard-coded password? Try this enterprise app after sharing the hard-coded password to the world.
Atlassian on Wednesday uncovered three critical product vulnerabilities, including CVE-2022-26138, which originated from a hard-coded password in Questions for Confluence, an app that allows users to quickly get support for frequently asked questions about Atlassian products. The company warned that the passcode is “trivial to get.”
The company stated that Questions for Confluence had 8,055 installs at the time of publication. Upon installation, the app creates a Confluence user account named disabledsystemuser, which is intended to help admins move data between the app and the Confluence cloud service. The hard-coded password protecting this account allows viewing and editing of any unrestricted page in Confluence.
“A remote, unauthenticated attacker with knowledge of the hard-coded password could exploit this to log into Confluence and access any pages that the Confluence user group has access to,” the company said. “It is important to address this vulnerability immediately on affected systems.”
A day later, Atlassian chimed in and reported that “an outside party discovered and posted the hard-coded password on Twitter,” prompting the company to step up its warnings.
“This issue is likely to be exploited in the wild because the hard-coded password is public knowledge,” the updated advisory reads. “This vulnerability should be addressed immediately on affected systems.”
The company warned that even if Confluence installations didn’t actively install the app, they could still be vulnerable. Uninstalling the app does not automatically fix the vulnerability as the disabledsystemuser account can still exist on the system.
To find out if a system is vulnerable, Atlassian advised Confluence users to look for accounts with the following information:
- User: disabled system user
- Username: disabled system user
- E-mail: email@example.com
Atlassian has provided further instructions on how to find such accounts here. The vulnerability affects Questions for Confluence versions 2.7.x and 3.0.x. Atlassian offered customers two options to resolve the issue: disable or remove the disabledsystemuser account. The company has also published this list of answers to frequently asked questions.
Confluence users looking for evidence of exploits can check the last authentication time for disabledsystemuser using the instructions here. If the result is zero, the account exists in the system but no one has logged in with it yet. The commands also show any recent login attempts that were successful or unsuccessful.
“Now that the patches are out, expect patch diffs and reverse engineering efforts to create a public POC in a relatively short amount of time,” wrote Casey Ellis, founder of vulnerability reporting service Bugcrowd, in a direct message. “Atlassian stores should start patching public facing products immediately, and those behind the firewall as soon as possible.
The other two vulnerabilities that Atlassian announced on Wednesday are also serious and affect the following products:
- Bamboo servers and data center
- Bitbucket servers and data center
- Confluence server and data center
- Crowd servers and data center
- Jira Server and data center
- Jira Service Management Server and data center
These vulnerabilities, tracked as CVE-2022-26136 and CVE-2022-26137, allow remote, unauthenticated hackers to bypass servlet filters used by first- and third-party apps.
“The impact depends on what filters are used by each app and how the filters are used,” the company said. “Atlassian has released updates that address the root cause of this vulnerability, but has not fully enumerated all possible consequences of this vulnerability.”
Vulnerable Confluence servers have long been a popular entry point for hackers looking to install ransomware, cryptominers, and other forms of malware. The vulnerabilities Atlassian disclosed this week are serious enough that admins should prioritize a thorough scan of their systems, ideally before the weekend begins.