Flash Notice: Atlassian Confluence Critical Hardcoded Password Vulnerability Under Active Exploitation

Overview of atlassian vulnerability 

A hardcoded credentials vulnerability was found in the Questions for Confluence app and is under active exploitation. The vulnerability allows remote, unauthenticated attackers that know the hardcoded password for specific accounts in the app, to gain access to non-restricted pages in Confluence.  

CVE-2022-26138 was observed to be under active exploitation by Rapid7 and affects several on-premises Confluence products, including:  

• Confluence Server  
• Confluence Data Center  

The vulnerability was patched by Atlassian last week but was not being exploited by attackers at that time. However, once the hardcoded password was released on social media, attackers quickly sprang into action. Although the vulnerability only exists when the Questions for Confluence app is enabled on the below affected versions, we urge that you patch immediately. See the affected versions below:  

• Questions for Confluence 2.7.x 
• 2.7.34 
• 2.7.35 
• Questions for Confluence  
• 3.0.x 
• 3.0.2 

According to Rapid 7, If an attacker successfully exploits CVE-2022-26138, they will be able to create a user account with a hardcoded password and add the account to a user group, allowing access to all non-restricted pages in Confluence. Ultimately, the attacker will be able to browse an organization’s Confluence. 

 Please keep in mind that although the vulnerability stems from the disabledsystemuser account, which helps administrators migrate data from the app to the Confluence cloud, CVE-2022-26138 does not impact the Confluence Cloud instance. If your organization uses on-premises Confluence, following Atlassian’s guidance on patching is the best option.  

How Avertium is Protecting Our Customers:

• Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium’s offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills.  
  
• To identify the source of your breach and the scope that it reached; you’ll want to include Avertium’s DFIR services in your protection plan. We offer DFIR (Digital Forensics and Incident Response) to mitigate damage from a successful breach.   
  
• Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 

Avertium's recommendations

• Simply uninstalling the app will not remediate the flaw. Avertium recommends that organizations immediately follow Atlassian’s patching and mitigation guidance which can be found here. 
   
• Atlassian recommends that organizations refer to the following document to determine if anyone has successfully exploited CVE-2022-26138: Evidence of Exploitation.  

 INDICATOR'S OF COMPROMISE (IOCS):

According to Atlassian, the following have been identified as sources of malicious activity:  

• User: disabledsystemuser 
• Username: disabledsystemuser 
• Email: dontdeletethisuser@email[.com] 

Supporting documentation

Questions For Confluence Security Advisory 2022-07-20 | Confluence Data Center and Server 7.18 | Atlassian Documentation 

Active Exploitation of Atlassian’s Questions for Confluence App CVE-2022-26138 | Rapid7 Blog 

Atlassian Confluence Hardcoded Credentials Bug Actively Exploited | Decipher (duo.com) 

Related Reading: Flash Notice: New Ransomware Family, HavanaCrypt, Disguises Itself as Fake Google Update

Contact us for more information about Avertium’s managed security service capabilities.