Following the disclosure of information required to exploit a newly patched vulnerability, Atlassian has informed users that a flaw in Questions for Confluence would probably be used in attacks.
Questions for Confluence is a knowledge-sharing tool that enables users of Confluence to rapidly obtain information, share it with others, and interact with experts as needed. Confluence does not come with the program pre-installed; it is a paid, optional add-on.
Atlassian patched a significant application vulnerability affecting the Confluence Server and Data Center products last week.
When activated on the affected products, Questions for Confluence generates a user account with the username disabledsystemuser and a hardcoded password. This security flaw is tracked as CVE-2022-26138.
The user account has access to all non-restricted sites in Confluence because it has been added to the confluence-users group.
Late this week, Atlassian revised its alert to warn that the hardcoded password had been made public and to offer more details on how to fix the flaw and search for signs of a breach.
The hardcoded password was found and made public by an outsider on Twitter. The revised alert from Atlassian advises that affected systems should promptly patch this issue.
“An external party has discovered and publicly disclosed the hardcoded password on Twitter. Therefore, it is important to remediate this vulnerability on affected systems immediately”, Atlassian’s Atlassian’s updated advisory reads.
Over 8,000 installations of Questions for Confluence are now active, according to Atlassian. Even if the application has been uninstalled, systems running Questions for Confluence 2.7.34, 2.7.35, or 3.0.2 are affected.
Versions 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2) and 3.0.5 (compatible with Confluence 7.16.3 and later), which no longer contain the hardcoded password and remove the disabledsystemuser account if it was previously created, were released to address the vulnerability.
Atlassian cautions users to explicitly look for the disabled system user user account and remove or disable it if Confluence is set up to use a read-only external directory.
“We recommend updating the Questions for Confluence app, which will remove this user from the system. If this isn’t possible for any reason, you should disable or delete the user,” Atlassian notes in an FAQ for CVE-2022-26138.