Atlassian: Patch Confluence Immediately After Hardcoded Password Breach
Customers of the Australian software company Atlassian have been advised to fix a serious flaw that allows remote attackers to log into unpatched Confluence Server and Data Center systems using hardcoded credentials.
The Questions for Confluence app (found on over 8,000 servers) generates a disabledsystemuser account with a hardcoded password to aid administrators in moving data from the app to the Confluence Cloud, the business said this week.
The hardcoded password had been discovered and disseminated publicly, thus Atlassian issued a warning to admins to fix their servers as quickly as possible one day after providing security patches to address the vulnerability (recorded as CVE-2022-26138).
The hardcoded password was found and made available to the public on Twitter by an outsider. The business said on Thursday that it is crucial to promptly fix this vulnerability on impacted systems. Given that the hardcoded password is now widely known, this problem is probably going to be exploited in the wild. Because threat actors with this information might use it to enter into vulnerable Confluence servers and access sites that the confluence-users group has access to, the warning is both timely and essential.
Atlassian advises either upgrading to a patched version of Questions for Confluence or deactivating/deleting the disabledsystemuser account to protect against possible attacks.
If the problematic user account is present, updating the Questions for Confluence app to a corrected version (versions 2.7.x >= 2.7.38 or versions more than 3.0.5) will get rid of it.
Look for an active user account with the following information to see if a server is vulnerable due to this hardcoded credentials security flaw:
Identifier: disabledsystemuser
Email: [email protected]
Username: disabledsystemuser
The disabledsystemuser’s most recent authentication time can be checked using the steps below to search for signs of exploitation. If the response is nil, the account is still active but hasn’t been used to log in.
Furthermore, it’s critical to note that removing the Questions for Confluence software from impacted servers won’t eliminate the attack vector—specifically, the hardcoded credentials—and that unpatched systems will continue to be vulnerable to assaults.
Confluence servers have been the subject of prior assaults by threat actors, including crypto miners, the AvosLocker and Cerber2021 ransomware, and Linux botnet malware.
