Getty Images
What’s worse than a widely used Internet-connected enterprise application with an encrypted password? Try the above mentioned app as the encrypted password has been revealed to the world.
Atlassian on Wednesday disclosed three critical product vulnerabilities, including CVE-2022-26138 that stem from an encrypted password in Questions for Confluence, an app that allows users to quickly get support for common questions involving Atlassian products. The company warned that the passcode was “trivial to obtain”.
The company said Questions for Confluence had 8,055 installs at the time of publication. When installed, the app creates a Confluence user account called disabledsystemuser, which is intended to help administrators move data between the app and the Confluence Cloud service. The hard-coded password protecting this account allows viewing and editing of all non-restricted pages within Confluence.
“A remote, unauthenticated attacker with knowledge of the encrypted password could exploit this to log into Confluence and access any page that the confluence user group has access to,” the company said. “It is important to patch this vulnerability on affected systems immediately.”
A day later, Atlassian returned to report that “an external party has discovered and publicly disclosed the encrypted password on Twitter,” prompting the company to amplify its warnings.
“This issue is likely to be exploited in the wild now that the encrypted password is publicly known,” the updated advisory said. “This vulnerability should be patched immediately on affected systems.”
The company warned that even when Confluence installations do not have the app actively installed, they may still be vulnerable. Uninstalling the application does not automatically fix the vulnerability because the disabledsystem user account may still reside on the system.
To understand if a system is vulnerable, Atlassian advised Confluence users to search for accounts with the following information:
- User: disabled system user
- Username: disabled system user
- Email: [email protected]
Atlassian provided more guidance on finding such accounts here. The vulnerability affects Queries for Confluence versions 2.7.x and 3.0.x. Atlassian offered two ways for customers to fix the problem: disable or remove the “disabledssystemuser” account. The company has also published this list of answers to frequently asked questions.
Confluence users looking for proof of exploit can check the last authentication time for the disabled system user using the instructions here. If the result is invalid, the account exists in the system, but no one has yet registered using it. The commands also show any recent login attempts that were successful or unsuccessful.
“Now that the patches are out, we can expect patching and reverse engineering efforts to produce a public POC in a fairly short time,” Casey Ellis, founder of the vulnerability reporting service Bugcrowd, wrote in a message direct. “Atlassian stores should begin fixing public-facing products immediately, and those behind the firewall as soon as possible. Comments on advisories recommending against proxy filtering as mitigation suggest there are multiple avenues of abuse.
The other two Atlassian vulnerabilities disclosed on Wednesday are also serious, affecting the following products:
- Bamboo Server and Data Center
- Bitbucket Server and Data Center
- Fusion Server and Data Center
- Crowd Server and Data Center
- Crucible
- Fish eye
- Jira Server and Data Center
- Jira Service Management Server and Data Center
Tracked as CVE-2022-26136 and CVE-2022-26137, these vulnerabilities make it possible for remote and unauthenticated hackers to bypass Servlet Filters used by first-party and third-party applications.
“The impact depends on which filters are used by each application and how the filters are used,” the company said. “Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all possible consequences of this vulnerability.”
Vulnerable Confluence servers have long been a favorite opening for hackers looking to install ransomware, cryptominers and other forms of malware. The vulnerabilities discovered by Atlassian this week are serious enough that administrators should prioritize a full overhaul of their systems, ideally before the weekend begins.
